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Abstract 


The classical algebraic approach to the specification and verification of concurrent systems 
is tuned to distributed programs that rely on asynchronous communications and permit explicit 
data exchange. An applicative process algebra, obtained by embedding the Linda primitives for 
interprocess communication in a CCS/CSP-like language, and an imperative one, obtained from 
the applicative variant by adding a construct for explicit assignment of values to variables, are 
introduced. The testing framework is used to define behavioural equivalences for both languages 
and sound and complete proof systems for them are described together with a fully abstract 
denotational model (namely, a variant of Strong Acceptance Trees). © 2000 Elsevier Science 
B.V. All rights reserved. 
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1. Introduction 


The availability of sophisticated parallel hardware at limited costs has led to a pro- 
liferation of programming languages aiming at taking advantage of the new computing 
capabilities. These languages are equipped with primitives for interprogram communi- 
cation and permit designing concurrent and distributed programs. However, this class 
of programs is difficult to design and debug. The possible interactions between two or 
more concurrent programs may give rise to new, unwanted, behaviours and may lead 
to nondeterministic executions. 

There have been several efforts to model concurrent programs and to develop meth- 
ods for reasoning about them. Probably, the most well-known approach 1s the process 
algebraic one (CCS [37], ACP [7], CSP [32], etc.). The basic idea of process alge- 
bras is that distributed systems may be modelled as sets of concurrent communicating 
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processes, and the main aim is that of providing both description languages and tech- 
niques for assessing correctness. The languages are based on small sets of elementary 
constructs that permit describing systems at different levels of abstraction. The oper- 
ators have intuitive interpretations, and model basic notions like parallel composition, 
nondeterminism, abstraction, sequentialization, etc. 

Within the process algebraic approach, both specifications (the descriptions of the 
expected behaviour of systems in terms of their reactions to external stimuli) and imple- 
mentations (the detailed descriptions of systems with information about their logical 
or physical structures) can be expressed in the same language. There is no abso- 
lute distinction between specifications and implementations; within particular settings 
a program may be considered as a specification while in others it may be used as an 
implementation description. 

The relationships between the different levels are assessed by means of behavioural 
relations between systems. They can be used to check whether two systems have the 
"same" behaviour or one is an "approximation of" the other (see, e.g., [5,19,37,39]). 
Verification consists in studying the relationships between descriptions and implemen- 
tations. This task may be, at least partially, mechanized either by taking advantage of 
sets of laws that are consistent with the selected behavioural relation or by *ad hoc" 
efficient algorithms. 

The algebraic approach has so far mainly concentrated on languages with uninter- 
preted action symbols that rely on a synchronous paradigm for program interaction. 
Also, the exchange of information between programs has often been limited to syn- 
chronization signals and only in few cases languages have been studied that permit 
explicit data exchange. 

In this paper, we take the Linda paradigm for process interaction as our starting 
point for defining an asynchronous process algebra with explicit data value exchange. 
Linda [24,12] is a member of a relatively recent generation of global environment 
parallel languages (e.g. Concurrent Prolog [45], UNITY [14], Shared Prolog [3]) that 
differ from the previous ones because they offer, and often require, explicit control of 
interactions. A communication between Linda processes is obtained by accessing tuples 
(sequences of variables and data) in a shared memory called “tuple space" (a multiset 
of tuples). The communication mechanism is asynchronous, in that send operations 
are non-blocking, and associative, in that tuples are retrieved by referring to (part of) 
their content; read/receive operations look for tuples with a specific structure and may 
cause a block. 

Our main objective is that of developing a semantic framework that supports analy- 
sis of programs written in some applicative (without assignment) or imperative (with 
assignment) Linda dialect. The languages we consider in this paper are somehow in 
between process algebras and the many Linda programming dialects. Linda itself is 
not a programming language; it is a coordination model whose primitives are devoted 
to coordinate interactions among programs. Concurrent languages can be obtained by 
embedding Linda in a sequential (functional, imperative, logic, etc.) programming lan- 
guage (see, e.g., [6,46,40,44]). 
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We start by introducing a Process Algebra based on Linda (PAL), a process algebra 
obtained by interpreting abstract actions as Linda primitives. Asynchrony is modelled 
by considering outputs as elementary concurrent processes, whose execution does not 
delay the progress of the senders. By relying on commutativity and associativity of 
the operator for parallel composition, the Linda tuple space 1s rendered by means of 
parallel composition of (the processes which correspond to) its tuples. 

We will use testing preorders [19,28] as the observational machinery for abstracting 
away from unwanted details of programs and for assessing their correctness by com- 
paring them with respect to a notion of “being an approximation of". The choice of the 
observational machinery has been partially dictated by the language; for example, with 
our operators for modelling non-deterministic situations, bisimulation would fail to be 
an equivalence relation. The testing approach does not require any adaptation to the 
language; the observation mechanism directly relies on the communication paradigm. 

A behavioural testing (must) preorder is defined, where observers are, like for CCS, 
processes which can interact with the observed process and report success. Two other 
equivalent interpretations for PAL processes are given: an equational interpretation via 
a sound and complete proof system, useful for performing process verification via 
symbolic manipulation, and a denotational one in terms of double-labelled trees, AT” 
(acceptance trees for Linda), a generalization of the acceptance trees of [27]. 

We will also generalize this framework to IPAL, an imperative version of PAL 
with an assignment command. We shall however maintain that information between 
processes is exchanged only via the tuple space and shall thus be able to model private 
stores of processes via explicit substitutions. This choice, and the fact that PAL (and 
IPAL) binders for value variables and for process variables cannot interfere, enables 
us to reuse all of the theory developed for PAL to obtain a sound and complete proof 
system and a fully abstract denotational model for IPAL too. Our semantics for IPAL 
is a significant simplification of those in [30,23], that require explicitly modelling of 
processes private stores when adapting the testing scenarios of CCS with value passing 
(see [29]) and of PAL (see [22]) to extensions with assignment prefixes. 

The rest of the paper is organized as follows. In the next section, we briefly introduce 
Linda. In Sections 3 and 4 we introduce the syntax and the operational semantics of 
PAL, respectively. The testing theory of PAL 1s described in Section 5, while Section 6 
contains its proof system and a small example that illustrates how the proof system 
works. In Section 7, by relying on standard algebraic semantics techniques, we define 
a denotational semantics for PAL which is fully abstract with respect to the testing 
preorders. In Section 8, we define syntax and operational semantics of IPAL, and show 
that all results for PAL smoothly generalize to the new formalism. In the last section, 
related work and future research are discussed. 


2. A brief presentation of Linda 


Linda [24,12] is a coordination language that relies on an asynchronous and 
associative communication mechanism based on a shared global environment called 
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tuple space (TS), a multiset of tuples. A tuple is an ordered sequence of actual fields 

(value objects) and formal fields (variables); the first field is always an actual field 

and is usually referred to as /ogic name or tag. 

The basic interaction mechanism is pattern-matching; it is used to select tuples in 
TS. Matching is an indivisible action that permits non-deterministically selecting one 
of those tuples in TS with the same tag and the same number of fields as a given 
tuple ¢ and such that corresponding fields have matching values or variables. Variables 
match any value of the same type and two values match only if identical. 

There are four operations for manipulating tuple spaces: two, possibly blocking, 
operations for accessing and removing tuples and two non-blocking operations for 
adding tuples. 

e in(/) triggers the evaluation of ¢ and the search for a tuple ¢’ in TS that matches t. 
If and when ¢’ is found, it is removed from TS; the corresponding values of /' are 
assigned to the variables of ¢ and the process continues. If no matching tuple is 
found, the process is suspended until one is available. 

e read(¢) is similar to in(t), but it does not require removal of the matched tuple ¢’ 
from TS. 

e out(/) triggers the evaluation of ¢ and adds the outcoming tuple to TS. 

e eval(t) is similar to out(t), but rather than forcing evaluation of t, it creates a new 
process that will evaluate ¢ and eventually add the resulting tuple to TS. 

It is worth noting that non-determinism is inherent in the definition of Linda primi- 
tives. It arises in two cases: 

e different in/read operations are suspended waiting for the same tuple and such a tuple 
becomes available: only one of the suspended operations is non-deterministically 
selected to proceed; 

e an in/read operation has more than one matching tuple: one is arbitrarily chosen. 
The following example, borrowed from [12], is a simple C-Linda [44] solution of the 

dining philosophers problem. In the example, Num represents the number of philoso- 

phers and % the remainder of integer division. 


phil(7) initialize() 
int i; 1 
{ int i; 
while(1) { for (i = 0; i<Num; i++) { 
think(); out(*chopstick", i); 
in(*room ticket"); eval(phil(7)); 
in(“chopstick”, i); if (i « (Num—1)) out(“room ticket"); 
in(“chopstick”, (i+1)%Num); } 
eat(); } 


out(“chopstick”, i); 
out(“chopstick”, (i--1)9oNum ); 
out(“room ticket"); 
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The use of actual fields in the argument tuple of an in/read instruction is known 
as “structured naming”. It makes TS content-addressable, in the sense that processes 
may select from a collection of tuples by matching the value of the component fields. 
Formal fields of tuples already in the tuple space are never updated, even when those 
tuples are used for matching in/read operations. 

The Linda model is known as Generative Communication [24]. Indeed, once a tuple 
is added to TS (generated), its lifetime is independent from that of the producer process. 
This permits writing programs where complex data structures are distributed to allow 
different programs to work simultaneously on their elements. 


3. Syntax of PAL 


Since we are mainly interested in analyzing the concurrent features of the language, 
we assume that all values have the same type and allow only value expressions and 
boolean expressions. We assume existence of some predefined syntactic categories. 

e Exp, the category of value expressions, which is ranged over by e, contains a set 
of variable symbols, Var, ranged over by x, y and z, and a non-empty countable 
set of value symbols, Val, ranged over by v. 

e BExp, the category of boolean expressions, which is ranged over by be, contains 
the boolean values false (denoted by ff) and true (denoted by tt), and all boolean 
expressions obtained by using the usual boolean connectors (^, V, ^) and by applying 
the relational operators (=, <, €, >, >) to value expressions. 

e 4, a countable set of process variables, which is ranged over by X, Y and Z. 

We rely on the standard notions of closed expression, i.e. without variables, and 
of substitution. This is a function from Var to Exp which is almost everywhere the 
identity. We write [e,/x1,...,@n/x,] for the substitution o defined by o(x;)— e; whose 
non-trivial domain, denoted by bv(c), is [xj,...,x,]. We write o[e/x] for denoting 
the substitution which is the same as o except that x is mapped to e. We write 
e[ei/xi, ..., e,/x,] for denoting the expression which is obtained by simultaneously sub- 
stituting each occurrence of x; in e with e;. 

We let Tpl, ranged over by t, denote the set of (input and output) tuples. Tuples 
are sequences of fields, ranged over by f. We use "x" for denoting a formal field 
that contains the variable x, “e”? for denoting an actual field that contains the value 
expression e, and “x” for denoting a field that can only match fields of the same 
kind. For the sake of simplicity, we shall require that the variables that occur in the 
formal fields of each tuple be all different (this will allow us to abstract away from 
the evaluation ordering of tuples). 

Apart for the basic Linda coordination operators (out,in,read,eval), our language 
has a few standard operators (see, e.g., [7,20]) for building up terms from basic ones; 
namely, nil (inaction), Q (undefined), a.. (action prefix), if be then _ else _ (condi- 
tional), []. (external choice), .& . (internal choice), |. (parallel composition), | . 
(left-merge), ||- (communication-merge) and recX.. (recursive definition). 
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Variables which occur in formal fields of an input tuple ¢ are bound by in(7).. and 
read(t)._. If E is a term, we let bv(E) denote the set of bound variables in E and fv(E) 
denote that of free variables in E. Substitutions of value-expressions for variables are 
also extended to terms. If E is a term, we use Eo to denote the term resulting from 
simultaneously substituting in E all free occurrences of x € Var with o(x). 

The notions of free and bound process variables are the standard ones, recX._ being 
the binding operator. Substitutions for process variables, ranged over by £, are mappings 
from process variables to terms. Their applications to terms may require renaming of 
bound variables for avoiding captures. 


Definition 3.1. The set of terms, ranged over by E and F, is generated from the 
following grammar: 


E :—nil|Q |a.E |if be then E, else E; | E; op E2 |X |rec X.E 
a ::= out(/) | in(ż) | read(7) | eval(E) 

t z= pt 

f s=xlels 


op :— e |OIIILII 


We use PAL for denoting the set of all terms without free value variables and such 
that the variables in the formals of each tuple are all different and within the body 
E of subterms rec X.E, X is not preceded by binders for value variables that are free 
in E. We will call processes those PAL terms which contain no free process variables. 
A process without recursion is called finite. We let Zroc (ranged over by P, Q and 
R) denote the set of all processes. 


In general, we will work with PAL terms and use E and F to range over them. 
Moreover, we often shall write a instead of anil, and use = to denote syntactical 
identity and X^" to denote the set of all the operators except for in(t).. and read(/)... 

Like in [4], because of the interplay between process binders and value variable 
binders, we have to put a restriction on PAL terms. The restriction ensures that no 
free value variable is bound when "unfolding" rec X.E into E[rec X. E/X]. Otherwise, 
the two terms could have different semantics. For an example, consider P = in( y ).rec X. 
out( y)in(y).X and Q = in( y).out( y ).in( y).rec X.out( y).in( y).X. They would have dif- 
ferent operational semantics because within P, y would be instantiated once and for 
all while within Q, y could be instantiated twice (actually, O would have the same 
operational semantics as in(x).out(x ).in( y).rec X.out(y).in(y).X ). 


Notation 3.2. If ¢ is a tuple, we let |!| denote the number of fields of ¢ (i.e. the length 
of t), t; the jth field in ¢ (1x / €|t|), and var(t) the set of variables in formal fields 
of t. With slight abuse of notation, if t; =x, for some x € Var, we let var(t;) denote x. 
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Table 1 
Tuple evaluation functions 


Ox] — * F(x] =x 

Ole] = éle] le] éle] 

[x] — * J[x]-* 

€f. = OF |, e IVF Lt) 


4. Operational semantics for PAL 


The operational rules for our language assume existence of functions for evaluating 
value expressions and boolean expressions. We let them be the functions é] - |: Exp > 
Val and B|- |: BExp — {ff, tt}, respectively. &[e] and Z[be] will then denote the values 
of the expression e and of the boolean expression be provided they are closed (i.e. 
have no variables). 

A single tuple is evaluated differently depending on whether it is an argument of out 
or of in/read. Tuples resulting from evaluations are elements of sets EOT and EIT. 
These are subsets of Tp/ defined as follows. 


Definition 4.1. The set of evaluated output tuples, EOT, ranged over by ot, and the 
set of evaluated input tuples, EIT, ranged over by it, are generated from the following 
grammar: 


ot :— of |of,ot it = if if ,it 


of :— x|v if :— x|v|x 


Since the communication capability of processes does not depend on the variables 
occurring in the formals of tuples, when evaluating output tuples, we do abstract away 
from these variables whilst, when evaluating input tuples, we need them to perform 
the substitutions after successful matchings. Functions OJ - ]: Tpl — EOT, for output 
evaluations, and J| - ]: Tpl — EIT, for input evaluations, are defined inductively on 
the syntax of tuples in Table 1. 

Pattern-matching between evaluated input and output tuples is performed by pred- 
icate match defined over EIT x EOT via the rules in Table 2. Our pattern-matching 
mechanism is slightly different from that of Linda (see Section 2). Indeed, we impose 
that values in input tuples can only match the same values in output tuples (hence, 
they cannot match formal fields of output tuples) and that the symbol x in input 
tuples can only match itself, i.e. formal fields of output tuples. This separation has 
simplified our semantic theory; it allows us, e.g., to determine the tuple that has been 
accessed by an in/read and, also, to express read in terms of in and out (law READ 
in Table 9). We can recover the original communication capabilities of Linda input 
primitives by making use of x and of the external choice operator []. For example, 
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Table 2 
Pattern-matching rules 


match(v, v) v € Val 
match(x, v) x € Var, v € Val 
match(x, x) 


match(if,of),  match(it, ot) 
match((if , it), (of ,ot)) 


Table 3 
Action Relation (symmetrical versions of rules AR4-5 omitted) 
ARI in). EŻ Elot Ie] if match I]t], ot) 
AR2 read(t).£ 8 out(of).nil | E[ot/.7|t]] if match( |t], ot) 
etr] 
AR3 —— out(/).nil 3 nil 
PŽP PŽP 
AR4 EERE MEE AR5 MG NEU 
PIJO ^ P' P|Q P'|Q 
PP! 
ARG —— c 
P|Q ^ Plo 
Albe| = tt, PŽ P' Blbel=ff. Q ^ Q' 
ART Hiep ur ARS le] =f, a 
if be then P else Q > P’ if be then P else Q  Q' 


the original Linda operation in(x,v) matches all tuples of the form (v’,v) or (v^, y); in 
PAL, in(x,v) “followed by" P is rendered as in(x, v).P[]in(x, x).P. 
We are, finally, ready to introduce the operational semantics of PAL. 


Definition 4.2. The operational semantics of PAL is characterized by the extended 

labelled transition system (Proc, £ ct, —5, — ) where 

e Proc (i.e. the set of PAL processes) is the set of states, 

e ct — EOT x {!,?}, ranged over by x, is the set of actions or labels, 

e — C Proc x «fct x Proc, the action relation, is the least relation closed under the 
SOS rules in Table 3, 

e >> C Proc x Proc, the internal relation, is the least relation closed under the SOS 
rules in Tables 3 and 4. 


The set .»/ct contains two kinds of actions. Action ot!, with ot € EOT, corresponds 
to the production of the tuple ot because of the execution of an out operation. Action 
ot?, with ot € EOT, corresponds to the selection of tuple of because of the execution of 
an in/read operation. We shall use p to range over ./ct* (i.e. sequences of actions). 
In rules IR12 and IR13 in Table 4, we make use of a complementation notation 
for labels. It is defined in the obvious way, namely ot! — ot? and ot? — ot!; as usual 
“=a. 
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Table 4 
Internal relation (symmetrical versions of rules IR7-10 omitted) 
R1 0110 R2 recX .P >— P[recX .P/X] 
sa Bibe]=tt, P »— P’ Be Bibej=ff, Q»— Q' 
if be then P else " LP! if be then P else Q >= Q’ 
P A 
R5 ui EDS R6 eval(P).O — P|O 
out(t).P >— out(t).nil | P 
PP 
R7 POQQ—P RS ———— 
pu ng Ee 
R9 BEEN R10 E 
P|Q — P'|Q P|Q > P'||O 
T PP 
PLQ»—P'LO 
* pn *X o) DEEST Wo 
R12 Kerk cic IR13 dai ER MN 
PIO >> P'|o' P| > P'|O 


Most of the operational rules are similar to those for TCCS in [28] and for ACP in 
[1]. Commutativity and associativity of the operator for parallel composition enable us 
to model the actual TS as parallel composition of processes representing single tuples. 
The fact that TS is not modelled as a passive component allows us to represent the 
states of the transition system as purely syntactical objects. The asynchronous nature 
of the communication paradigm is rendered by allowing term P of out(t).P to proceed 
before tuple ¢ is actually accessed. Thus out(t).P is rendered as (out(t).nil)|P (rule 
IR5 in Table 4), and tuples can be used independently of what the remainders of 
producer processes do. 

In Table 3, rule AR1 shows that process in(t).E consumes a tuple ot matching the 
tuple .4[t] resulting from the evaluation of t; this causes the substitution, denoted by 
E[ot/.7[t]], in E of the free occurrences of the variables in the formals of Aft] with 
the corresponding values in ot. The corresponding label carries information about the 
tuple consumed. Rule AR2 shows that process read(1).E differs from in(1).E because 
it leaves in TS the accessed tuple. According to the terminology of [38], the PAL 
operational rules adopt an early instantiation scheme; value variables bound by in/read 
are instantiated when input transitions are inferred, not when communications take 
place (/ate instantiation). 

In Table 4, rule IR6 shows that eval causes dynamic process creation; eval(out(:). 
nil) can be used to express the original Linda eval(¢), that allowed tuples and not 
terms as arguments of eval. Rules AR7,AR8,IR3 and IR4 show that the conditional 
term if be then P else Q acts like P if the boolean expression be evaluates to true 
and like Q otherwise. Rules IR12 and IR13 deal with interprocess communication. 

Rules AR4-6 and IR7-11 are similar to those for TCCS of [28] and for ACP of [1]. 

In the following, we shall use the summation -ez to represent a general external 
choice operator with |I| arguments. This is justified by the SOS operational rules for 
[] (AR4 and IR8, and their symmetrical ones) which imply that [] is associative and 
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Table 5 
Process input tuples (symmetrical versions of rules PP3-4 omitted) 


n Jt] EA 
PP1 in(t).E — PP2 read(t).E +> 
p PË 
PP3 g PP4 : 
PIO P|Q ^ 
pP 
PP5 F 
Plow 
dijbe| — tt, P Ë dibey —-ff, o # 
a [be] E - ezf, Q^. 
if be then P else Q — if be then P else Q — 


commutative. By convention, 5 -cg P; denotes nil. Similarly, »;-, represents a general 
internal choice operator. 


4.1. Basic properties of the transition system 


The LTS for PAL is in general not finitely branching since the set of initial actions 
that a process can perform may be infinite; processes of the form in(t).£ can have an 
infinite number of derivations in(t).£ ZH [ot/-/[r]], where match(.7[t], ot). However, 
some finiteness results about the LTS can be proved, that will be useful to express the 
interaction ability of processes in terms of finite sets. 

To single out the set of evaluated input tuples that a process can initially use for 
accessing tuples, we use the unary relation E , where it € EIT, defined inductively on 
the syntax of terms in Table 5. 


Definition 4.3. For any process P and action o, we define the sets of 
e Input-read tuples: IRT(P) = (it € EIT |P 4 Lh 

e Output tuples: OT(P) — (ot € EOT |3 P': P em P'), 

e Output derivatives: OD(P) = {P’ | dot € EOT : P us Ph, 

e Internal derivatives: ID(P) = (P' | P >> P’}, 

e « derivatives: D(P,a) = (P' | P 5 P’}. 


Now, the following finiteness results can be established. 


Proposition 4.4. For every process P and every action a, IRT(P),OT(P), OD(P), 
ID(P) and D(P,«) are finite. 


Proof. The proof goes by structural induction on P like in [29]. We only consider 
some of the most significant cases. The remaining ones are trivial or similar to those 
explicitly considered. 

If P ZrecX.E then we have IRT(P)— OD(P) 2 OT(P) — 0, ID(P) = (E[recX .E \ 
X] and D(P,a) — 0 for all x € Act. 
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If P=out(t).Q then we have the following two subcases: 

e if Q=nil then IRT(P) 2 ID(P) 2 0, OD(P)— {nil}, OT(P) = (or) where of = Cr] 

and if x— ot! then D(P, x) — {nil} else D(P,«) = 0; 

e if Q Z nil then IRT(P) =OD(P) 2 OT(P) — 0, ID(P) = (out().nil|E] and D(P, «) = 

() for all x € Act. 

If P=in(t).£, with fv(E) Cvar(t), then by definition we have IRT(P) — (.7[t]). 
OD(P)—-OT(P)-ID(P)—-( and if w=ot? then D(P,a)-—(1E[ot/7|t]] else 
D(P, «) =f. 

If P=P,|P) then we have 
1. IRT(P) - IRT(P;  UIRT(P), 

2. OD(P) = {P |P; | Pt € OD(P,)} U {P; |P} | P € OD(P.)}, 

3. OT(P) - OT(P,) UOT(P;), 
4 
5 


. D(P, a) = {P1 |P, | P E€ D(Pi, «)} U(P1|P5 | P} € Dio, «)}, 
. ID(P) = {P1 |P | P; € ID(P1)} U {P1 |P; | P3 € ID(P2)} U(PL]P5 | (Pi € OD(Pi) V P5 
€ OD(D))) AP; S PL AP,  P)). 

By induction, the sets of cases 1—4 only have a finite number of elements. This is ob- 
viously true also for the sets (P1|P» | P! € ID(P1)) and {P,|P4 | P} € ID(P;)) of case 5. 
For the set {P} |P} | (P! € OD(P,)) V P} €OD(D))) AP, > Pi AP; Sp) observe that ei- 
ther « or X must be an output action and therefore, by induction, there is only a finite 
number of such pairs. Let us assume that à — ot! and à —ot? for some ot c EOT; 
by induction, we conclude that the number of possible P! and P5, and then that of 
processes of the form P; |P}, is finite. O 


5. Testing semantics for PAL 


In this section we show how to apply the standard theory of testing [19,28] to PAL. 
To this aim we must define a set of observers, an observation mechanism (experiments 
and computations) and a criterion for interpreting observations. This machinery will 
give rise to a preorder over PAL processes formulated in terms of the inability to 
respond negatively to a test. 

We assume a special action prefix, success, and a special label, œ, which are 
used to denote success. The operational rule which corresponds to this new prefix 
is: success.P ^ P. 

Observers, ranged over by O, are processes which contain the special prefix success. 

Experiments are terms of the form P|O. To determine the result of an experiment 
P|O we must consider all of its computations, i.e. all sequences 


P|O = Pj|Oo  P|Oi > P0»... P| Ox nis 


which are either infinite or such that their last pair cannot perform any internal transi- 
tion. We write P must O if for each computation there exists n>0 such that O, 5. 
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We write P mist O if P must O does not hold. ! 


Definition 5.1. The testing preorder = over PAL processes we are interested in is 


^ 


defined by: for all processes P and Q, 


P Co if, for every observer O,P must O implies Q must O. 


The preorder is extended to terms which may contain free process variables as follows: 


E LE if, for any substitution € such that Ec and Fé are processes, EE EF e. 


^ 


We will use ^ to denote the equivalence obtained as the kernel of the preorder 
(Le. M= E,n(cE, Je 

To simplify some of the proofs, we shall introduce an alternative characterization 
of E. This characterization provides an observers independent method for checking 


whether two processes are behaviourally related. Like in [29], this alternative charac- 
terization will rely on the events that processes can be engaged in and on the sequences 
of actions they can perform. 

We start by introducing the notion of patterns of evaluated input tuples. Patterns 
differs from input tuples because they abstract away from the variables occurring in 
the formals. These variables do not affect the communication capability of processes. 
For instance, processes in(x).£ and in(y).F can initially access the same tuples. 


Definition 5.2. The set of abstract evaluated input tuples or patterns (AEIT) ranged 
over by p, is generated from the following grammar: 


p: = fp,| fp, p 
fp: =-|v|x 


Function (o : EIT — AEIT will return the pattern of an evaluated input tuple. Essen- 

tially, g abstracts away from the variables in the formals of evaluated input tuples; 

all of them are represented as _. Notation 3.2 (about tuples) is extended to patterns in 

the obvious way. Predicate match is defined over AEIT x EOT by means of the rules 

in Table 2 where the axiom match(x,v) (v € Val) is replaced by match(_,v) (v € Val). 
We are now set to introduce the notion of event. 

Definition 5.3. The set of events, Ev, ranged over by e, is defined as 


Ev — ((i, p)| p € AEIT} U ((o,ot) | ot € EOT}. 


Predicate match is extended to events by letting 


V(i, p), (o,0t) € Ev: match((i, p), (o,0t)) <> match( p, ot). 


! In general, for any given predicate #, we shall write Z? to denote that # does not hold. 
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If T C AEIT then we let W7(T)= (ot € EOT | 3p € T: match( p,ot)}, i.e. MT (T) is 
the set of evaluated output tuples that match the patterns in T. Intuitively, each event 
corresponds to a set of actions: (0,0t) corresponds to ot! while (i, p) corresponds to 
any action of? with ot €.W7({ p}). The set of actions corresponding to an event e 
may be strictly contained in that corresponding to an event e’. For example, the set of 
actions corresponding to (i,(_,7)) contains that corresponding to (i, (5, 7)). Therefore, 
for comparing two finite sets of events we must generalize the usual (set inclusion) 
relation. 


Notation 5.4. If 4 C Ev we shall use the following notations: 
Evou(A) = {(0,0t)|(0,0t)€ A}, F (Evou(4)) = tot | (0, 0t) € Evow(A)}, 
Ev(A)—i(5p)l(Gp)eAS | P(Evir(A)) — {P| @ p) € Ev (A)). 

Definition 5.5. For all finite sets of events A and B we write A < B if 


Ev, (A) Evou(B) and MF (Ev (4))) C MF (Ev (B))). 


Intuitively, 4 «1 B means that any action corresponding to an event of A has a 
corresponding event in B: B has at least the same interaction capability as A. 
Now we can fix some standard notions. 


Definition 5.6. 
e A process Q such that P Q or P +> Q is called « derivative or internal derivative 
of P. 
e For p € »/ct* we inductively define Pj 4 p, by 
1. P, SP, if P, ,* P; 
2. P$ P if 3PLP! : PL P], PL S Pl, P! Spy. 
Often, we shall write => instead of =>. 
e For p € »/ct* we inductively define | p by 
1. P |e if there is no infinite computation P >> Pj >> P, >> ..., 
2. P |a p! if P |e and whenever PP’ then P' | p'. 
We write P T p if P | p is false. 
The language of P is L(P) 2 {p € «ct* | 3P': P £ P'). 
e The set of successors (or initial events) of P is 


it 


S(P) ={(i,  (it)) | BP! : P P! AP’ 5S YU((o,ot)| 3P' : PS p^). 


e The acceptance set of P after p € «/ct* is: A(P,p) = (S(P')| P -& P^). 
Acceptance sets are ordered by the preorder CC defined below: 


ACCB if for all A € oA there exists B € Z such that B < A. 


The following property relies on Proposition 4.4; it can be proven by induction on 
|p|. 
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Proposition 5.7. For every process P, P | p implies that (P, p) is finite. 


Finally, we can define the alternative preorder <,, over processes. 


Definition 5.8. For processes P and Q, P «y, Q if for every p € »Xct* 


Plop> 1Qlp 
2. A(Q, p)C C (P, p). 


We can prove that = and <,, coincide when referred to processes (Theorem 5.13) 


The structure of the actual proof is similar to the corresponding one for process algebras 
in [28,29]; due to the Linda communication paradigm, a few additional complications 
have to be faced. In the following we shall illustrate the main steps of the proof. 
Whenever the proof proceeds as in [28,29] we shall omit the details. 

We shall use three sets of special observers for testing processes. The first one, con, 
tests for convergence, the second, rej, tests for the language generated and the last, ac, 
tests for the contents of acceptance sets. These tests rely on the ability of observers 
to determine which tuple has been selected by pattern-matching. This is made possible 
by the adoption of the pattern-matching mechanism defined by the rules in Table 2, 
that slightly differs from the original Linda one. 

We let succ denote the observer success.nil and isucc the observer eval(nil). succ. 
The only difference is that the former immediately succeeds whilst the latter must 
perform an internal transition before succeeding. 


Definition 5.9. For each p € ct", «€ Sct and A finite subset of Ev, let the observers 
con(p), rej(p,«) and ac(p,A) be defined by 
1. con(£) = isucc, 

con(ot! - p') = isucc[]in(ot ).con(p' ), 

con(ot? - p^) = isucc[]( out(ot ).nil | con(p )); 


2. rej(é, ot!) = isucc|]in(ot ).nil, 
rej(e, ot?) = isucc[]out(ot ).nil, 
rej(ot! - p', x) = isucc[]in(ot).rej(p', «), 
rej(ot? - p', a) = isucc[](out(ot).nil | .rej(p’, x)); 


3. ac(& A) — Y c, ac(e), 
ac(ot! - p', A) = isucc[]in(ot).ac( p! , A), 
ac(ot? - p', A) = isucc[](out(or ).nil | ac(p’, A)), 
where for every e € Ev the observer ac(e) is defined by: 
ac((o, ot)) =in(ot).succ, 
ac((i, p)) = out(o'" ).nil | succ 
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Ot; = 


j { v, if p;=_, where v; € Val is an arbitrarily chosen value, 
j 


pj otherwise. 
The above observers are used for proving the following three propositions 
Proposition 5.10. For every process P, P must con(p) if and only if P | p. 


Proposition 5.11. For every process P, if P | p then P must rej(p,«) if and only if 
p-a € L(P) 


Proposition 5.12. For every process P, if P | p then P must ac(p,B) if and only if 
for all A € A(P,p) at least one of the following two conditions holds: 

e Evout(A) N Evou(B) * 0, 

e Je € Ev, (A), de’ € Ev (B), de" € Ev : match(e, e") ^ match(e' , e"). 


Theorem 5.13. For all processes P and Q, P &,,Q if and only if P <,, Q. 


Proof. We start by showing that E. Q and 
that P | p. By Proposition 5.10, this implies that P must con(p). Then, by hypothesis, 
Q must con(p) and, by Proposition 5.10 again, Q | p. Let A € (Q, p) (obviously, if 
A (Q, p) — 0 then we have finished). This means that p € L(Q). If p =e, since €€ L(R) 
for each process R, it obviously follows that /(P,¢)4@. Otherwise, let p = p'-«. By 
Proposition 5.11, it follows that Q mist rej(p', x). Then, by hypothesis, P mist rej(p', œ) 
and, by Proposition 5.11 again, we conclude that (P, p) Z 0 Moreover, from Propo- 
sition 5.7 it follows that ./(P,p) is finite, say (P, p) 2 (Bi, B»,..., B.) . We must 
show that there exists j: 1<j<n such that B; «14 We derive a contradiction from 
the assumption that such an index j does not exist. Indeed, for each j: 1x7 xn there 
must be an event e; € B; and a corresponding action that does not correspond to any 
event of A. For all j: 1j xn, let e; € Ev such that one of the following conditions 
holds: 
e e; — (i, ot), if Ali, p') EEv,(B;): match( p',ot) and V(i, p")€vi (A): match( p",ot) 

is false, 
e e; — (o, ot), if (0, 0t) € Ev, (B; NEvsu (4) 
Let B be the set of all such e;. By Proposition 5.12, we get P must ac(p, B). By con- 
struction, Q must ac(p, B) because of the unsuccessful computation Olac(p, B) >—>* R| 
ac(e, B) where R is such that QER and S(R)CA Therefore, we come to a contra- 
diction with the hypothesis P CO and then there must exist j: 1<j<n such that 
B; <1A, which implies the thesis. 

Now, we show the converse, i.e. «y implies 


implies <,,. Let us assume that P 


~M 


Lu: Let O be any observer such that 
Q mist O: we will show that P must O as well. There are various reasons for Q must O, 
but the basic one is the existence of a finite unsuccessful computation Q|O = Q'|O’ 
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(i.e. Q' and O' cannot interact) such that for some sequence p of visible actions 


obg, O40! and none of the observers in the derivation O &0' is able to per- 
form an œ derivative. If P 1 p then there exists a subsequence p’ of p and P’ such 


that P&P! and P' f, and it is straightforward to obtain an unsuccessful computation 
for P|O. If P | p, the hypothesis P «&y, Q implies that there exists a process P’ such 
that PP’, ID(P') 2 0 and S(P/) X1S(Q'). Since we Q' and O' cannot interact and 
S(P')<1S(Q’), then P’ and O' cannot interact too. Therefore, the derivations P 4 P’ 


and O£ O' can be combined to form an unsuccessful computation P|O => P'|O'. 
Hence, P mfstO. |] 


Using the above alternative characterization of l- it is now easy to show that the 


~M 
behavioural preorder is a precongruence over X^", the set of all the PAL operators 
but in(¢).. and read(t)._. 


Proposition 5.14. The operators in X ^" preserve l- 


^M 


Proof. The proof can be done by an exhaustive case analysis. When the parallel op- 
erators |, |.,and ||. are considered is used, in the all remaining cases we rely 


on <,. O 


^M 


For the operators in(¢).. and read(t). , we must take into account all the substitutions 
they may give rise to. 


Proposition 5.15. If for each tuple ot € EOT such that match(.¥{t], ot) it holds that 
Elot/.7|t]] E, F[ot/.Z|t]] then in(£).E & in(t).F and read(t).E L- read(t).F. 


^M ~M ~M 


Proof. Also here we take advantage of the alternative characterization <,,. We prove 
the claim for in(¢)._; the proof for read(¢).. being similar. If p =e we have in(t).E le 
and in(t).F |e. We also have that ./(in(t).Z, ¢) = {{(i, p)}} = A(in(t).F, e), where p= 
f? C7/[t]). Every non-empty sequence of actions from in(t).£ or in(t).F is of the form 
ot"! - p, for some ot! € EOT such that match( p, ot’) and p sequence from E[ot'/.¥|t]] or 
F[ot'/./|t]] Now, we can use the hypothesis E[o!'/.7|t]] Kyu F[ot'/.7|t|] for comparing 
acceptance sets and convergence, and the thesis follows. 


6. A proof system for PAL 


In this section we define a proof system for PAL processes and prove that it is 


sound and complete with respect to the behavioural preorder L5. The proof system, 


^ 


that we call 4&2, is based on a set of equational laws plus two induction rules: one 
handling recursively defined processes and the other dealing with input prefixes. The 
axioms and the inference rules of the proof system are shown in Tables 6-10. Each 
equation X =Y has to be read as standing for the pairs of inequations X E Y and 
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Table 6 
Inequations for sequential, non-deterministic processes 


Ici NX@(Y@Z)=(X@Y)@Z 
I1c2 X@Y=Y@X 

Ic3  X@X=X 

Ica  XoYcx 

EC1 XZ) = XYZ 

EC2 — X[Y-Y[X 

EG  X[(X-X 

EC4 — X[]nl—X 

MIXI  Xe(Qnn2-qoeuxez) 
MX2 XI ®Z)=(X[]Y) O(4T1Z) 


Table 7 
Inequations for Q 


UND1 QCX UNDA Qux co 
UND2 XRT UND5 Oo|xco 
UND3 X X|Q LQ UND6 Q\|x c o 


Y CX. We shall write E, C,, E» (Ej =,, Ez) to indicate that Ej C E» (E, = E?) can be 
derived within GF. 

Table 6 contains the standard inequations for testing from [20,28]. 

The laws in Table 7 state that process Q is less defined than every PAL process 
(UND1) and assert the strictness of all binary operators (strictness of ® follows from 
ICA). 

The laws in Table 8 are essentially concerned with the PAL parallel operators, and 
show that parallel operators, when applied to finite terms, can be replaced by more 
primitive ones, namely nil, Q, []., -® -, in(¢)._ and out(t).nil||_. The left merge operator 
deserves specific attention because it cannot be completely replaced; its simpler form 
out(f).nil|. is needed as a blocking output prefix. PAR1 and PAR2 are taken from 
[28]. PAR3 is a modification of the interleaving law of [28] to take into account the 
communication paradigm used in PAL. Like the interleaving law in [1], PAR3 is a 
weaker version of the standard ACP axiom X|Y —X| Y + Y|X 4- X||Y which applies 
to stable processes only, i.e. processes without initial internal transitions.? Similarly, 
CM1 is a weaker version of a corresponding ACP axiom; it holds only if Z is stable.’ 
The remaining laws are obvious adaptations of similar laws of [7,8,1]. 


?The general ACP law is not sound with respect to œm. For instance, if we take P'—P|Q 
and Q!=P|Q[JO|P[JP||O where P=in(5).out(3).nil and Q = out(5).nil $ out(7).nil, by letting O = 
(in(3 ).success.nil )[](in(7).success.nil) we get that P^ must O and Q' must O (indeed, Q’ can internally be- 
come the process in(5).(out(3).nil| Q)[]out(5).nil | P[](out(7).nil||P) which cannot satisfy O). 

3 The condition on the syntactic structure of Z is necessary for the soundness of the law. For in- 
stance, if we take P = out(5).nil, O = out(7).nil, and R = in(5).out(3).nil © in(7).out(3).nil then, by letting 
O = in(3)success.nil, we get that (P[JQ)||R must O and (P||R)((Ql|R) mast O. 
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Table 8 
Laws for the parallel operators 


PARI (X Y)Z-(X|Z) 9 (Y|Z) 

PAR2 X|\(Y@®Z)=(X|Y)@(X|Z) 

PAR3 Let X= J ^. in(it:).Xi [] 5 ^, c, out(oty nil | Xy 
and Y= Py c, InGt;)Y; [] Y ez out(ot;).nil |X’. 
Let COMM(X,Y) = {(i,/)|match(it;, ot;)} U {G, k)| match(itj, ot; )}; then: 
XY 2 (x Lor Door» e qe) if COMM(Y, Y) 46 
X|Y — (X | JOY LX) if COMM(X, Y)=0 

IMi (X(JY)|Z=X|Z0Y |Z 

LM2 (X@Y)|Z=X|ZeY|Z 

LM3  nil|X =nil 

LM4  X|nil-X 


LM5  (in(it).X)| Y = in(it)(X|Y). if var(it) not free in Y 
LM6 (out(ot)nil| X)| Y = out(ot).nil | (X |Y) 
cui (XYZ = XIU) if Z= Se in(it;).Z; [] Sack out(ot; ).nil | X; 


c2 (Y@YIZ=(X||Z) @ (IZ) 
om3  x|Yor|x 

CMA  nil||X — nil 
CMS  (in(if).X)|(out(ot)ml | Y) — X[otit]Y if match(it, of) 
cme — (in(it).X)||(out(oz).nil | Y) — nil if —match(it, ot) 
CM7  (in(it;).X)|K(init;). Y ) = nil. 

CM8 — (out(ot; ).nil | X)||(out(or; .nil | Y) — nil 


Table 9 
Linda laws 


OUT1 out(ot).X = out(or).nil | X 
QUT2  out(ot)nil |X [] out(or).nil | Y = out(or).nil | (X & Y) 
OUT3 out(of).nil|.X © out(or).nil | Y = out(or).nil | (X $ Y) 


EVAL eval(X).Y =X| Y 


it t 
READ 

read(it).X = in(it).(out(7).nil | X) 

hu it = it! 
in(it).X [Jin(it’ ).Y = in(it).if bem(it, it’) then X & Y else X 

2b it = it’, pf (it) palit) AO, pf Gt") Y palit) #0, 
in(it).X[Jin(it’).Y = in(it).if bem(it, it’) then X & (Yo(it, it y) else X 

[] in(it’).if bem(it', it) then Xo(it',it) ® Y else Y 
it = it’ 
IN3 


in(it).X c in(it’).Y = in(it)if bem(it, it’) then X © (Yo(it, it’ )) else X 
® in(it’).if bem/(it’, it) then Xo(it', it) «b Y else Y 


The laws in Table 9 are almost all new and depend on the communication paradigm 
of the language. They rely on the following notations. 


Notation 6.1. For any it,it' € EIT and t € Tpl such that |it| = |it’| = |t|: 


1. pf (it) denotes the set of positions of formal fields in it and pa(it) the set of positions 
of actual fields in it; 
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2. itt if for each j:1<j<lit|, 7¢pf(it) implies t;=it; and j € pf(it) implies 
tj =var(it;); 

3. it = it if for each j: 1«7« it|, j g pf (it) pa(it) implies it; = it); 

4. it = it’ if for each j: 1«j«Jit|, j (pf (it) à pa(it' )) U (pf (it') n pa(it)) implies 
it; = itj; 

5. bem(it, it) =(A coy paary Var Cit) = itj); 

6. o(it, it") = [it;/var (iti ieqr ayn pa(it))- 


Let us comment on the notations introduced above. 

1. As an example, consider the tuple (x,3,y,*). Then, we have pf((x,3, y,x)) 
— (13) and pa((x,3, y, «)) = {2}. E E 

2. itt means that f can be obtained from if by removing the line under the vari- 
ables in the formals, hence by transforming formals into actuals. For example, 
(x, 7, x) (x, 7, x). 

3. it = it’ states that all the output tuples that match it’ do match it as well and that the 
variables occurring in the formals of it’ also occur in the corresponding formals of 
it. For example, (x, x, y) = (x, x, 7), but (x, x, y) = (z, X, 7) and (x, x, y) = (x,z, 7) 
do not hold » i i 

4. it = it’ states that the corresponding formals in it and it’ are syntactically identical 
and that there exist output tuples that can match both it and it’. For example, 
(x, *, 7) = (5, x, y). Note that it = it! implies it = it’. 

5. bem(it, it’) can be understood as a boolean function that evaluates to true whenever 
it receives as argument an output tuple that matches both it and it’, and it = it’ or 
it — it’. In general, bem(it, it’) has the form x; — vi A: A x, — v, with x; € var(it) 
and v; € Val for 1x j n. We will always use bem(it,i!) under the scope of the 
operator in(it)._, that will bind subsequent free occurrences of variables in var(it). 
As usual, we let Ajeg be; — tt. 

6. c(it,it') is a substitution that replaces the variables occurring in the formals of it’ 
with the corresponding values of it. 

The assumption that the variables occurring in the formals of each tuple be all different 

has been important for having simple definitions of bem(it, it") and of o(it, it’). 

Let us comment on the laws in Table 9. Laws OUT1 and EVAL assert that both 
out(ot).. and eval(E).. are non blocking operators. In particular, OUT1 says that our 
general output prefixing is not needed; nullary process operators of the forms out(or).nil 
are sufficient. Laws OUT2 and OUT3 make evident the internal non-determinism of 
processes and permit postponing internal choices. 

READ permits expressing the operator read in terms of in and out. The law relies 
on the ability of determining which tuple has been selected by pattern-matching. Note 
that, from the definition of it — t, it follows that fv(out(t). nil) C var(it). As a simple 
application of the law we get the equation read(x, x).nil =,, in(x,x).(out(x, x).nil|nil). 

IN1 permits deleting the second summand of an external choice by absorbing its 
behaviour in that of the first. The premise guarantees that the law is applied only if 
the choice is internal, i.e. the first summand may access all the tuples accessible by 
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the second. For instance, since x = 2 and bem((x),(2))=[x — 2], from IN1 we get the 
equation 


in(x).out(1 ).nil[Jin(2 ).nil 
=; in(x).if x =2 then (out(1).nil $ nil) else out(1 ).nil. 


IN2 permits introducing an internal choice after a tuple has been accessed. The 
premises guarantee that the law is applied only if the summands of an external choice 
can access common tuples (it — it’) and it is not the case that a summand may access 
all the tuples the other summand may access (pf (it)  pa(it') Z 0 and pf (it) n pa(it) 
#()). The law says that for both summands it is possible to access a common tuple 
without making any commitment about the next behaviour. The premise it — it’, the 
definition of o(it, it^), and the fact that fv(X) C var(it) and fv(Y) C var(it') imply that 
fv(Xa(it', it)) C var(it') and fv(Yo(it, it')) C var(it). For an example, consider process 


Q = in(x, z, 5).out(x, z).nil[]in(7, z, y ).out( y, z ).nil. 


Since we have 
(52,5) & (7.2.9), pf(Q52,5))n pa((7,z, y) = {1}, 
Pf (C. z, y)) n pa((x,z,5)) = {3}, 
bem((x,z,5), (7,2, y)) 2 [x 27], bem((7,z, y), 2,5)) 2 [y =5], 
o((x,Z,5),(7,2, y)) =[5/y] and o((7,z, y), G5 2,5)) = [7/x], 
it follows that from IN2 we can derive the equation 


Q =,, in(x,z,5).if x =7 then out(x,z).nil &out(5,z).nil else out(x, z).nil 
[] in(7,z, y)if y=5 then out(7,z).nil & out(y,z).nil else out( y, z ).nil. 


Laws IN1 and IN2 are mutually exclusive, in the sense that 1f one can be applied 
the other cannot. 

IN3 rests on the same ideas of IN1 and IN2. No summand is absorbed and law IN3 
makes it evident the internal nondeterminism due to the fact that there exist output 
tuples that both summands can access. IN1 and IN3 allow us to derive for in laws 
similar to OUT2 and OUT3 (see D1 and D2 in Table 11). 

The rules of the proof system are in Table 10. Most of them are borrowed from 
[28] and should be self-explanatory. The main addition is III (a similar rule was 
already present in [29]). It is infinitary if Val, hence EOT, is infinite. Thus, our proof 
system has two infinitary rules: VI for handling recursively defined terms and III 
for dealing with input prefixes. The use of infinitary rules makes the completeness 
result of purely theoretical interest. In practice, more tractable forms of induction are 
needed (one of these forms shall be used in the example presented at the end of this 
section). In VI, we use E" to denote the nth finite syntactic approximant of E. This 
is a standard construction of algebraic semantics and the actual definition can be found 
in, e.g., [28]. The basic idea is that every term E determines a set of finite terms (i.e. 
without recursion) that are obtained by unfolding a finite number of times the recursive 
(sub)terms. In V(a), č ranges over substitutions for process variables. VII and VIII 
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Table 10 
Inference rules 
Ej C Ey, E2 CE 
I PRE dent Ee; LAGE Oe raa AG 
(a) ECE I(b) ECE 
MEI T El, E E E! | 
EopECHepE | °PS( Ob LID 
III Filorfit] E Folor/it] [ot/it] — Exlot/it] match(it, ot) 
in(it).E; E in(it).E» 
ELE 
IV(a) ———————— IV) —— 
recX¥.E; C recX.E recX.E = E[recX.E/X] 
yao V(b) f law Ej C E 
Et E Ex MER NU ONE 
Vnz0:E| C E» 
VI ———————— 
Ej C E» 
2f [be] — tt Bibel — ff 
TUS) if be then £F, else E; = Ei ne if be then E, else E; = E; 
— for! "x $ 
VIII (a) = er ] - VIII(b) pss 
out(/).nil| E = out(¢’).nil | E in(t).E —in(t^).E 
x € var(t), y fresh 
in(r).E —in(r[y/x]-ELy/x] 
Table 11 
Derived laws 
Di in(it).X []in(it).Y = in(it).(X @ Y) 
D2 in(it).X c in(it).Y —in(it).(X @ Y) 
D3 XpY-XoYyvoe(qr[r) 
D4 X equrruz)-x eqrmr) equi 
D5 ((out(ot). nil |X) )[]Yi ) © ((out(ot).nil| X2)[]Y2) = 
((out(or). nil (X; @X2))1¥1) P ((out(of).nil| CX; SXU) 
D6 itj & it; 
(Cin(it ).X1)[]Y1 ) 6 (ünGt2 )X2)[]Y2) = 
((n(it; ).if bem(it,, it) then X, @ (X2o(itj, it5)) else Xi XI) 
€ ((in(it2).if bem(it?,it;) then X16(it, itj) X else X;)[]Y2) 


assume existence of evaluation mechanisms for expressions, boolean expressions and 
tuples. IX is an a-conversion rule for input prefixed terms; substitutions are applied to 
tuples in the obvious way. 

It could be proven that each axiom is independent from the other (its removal 
would affect the relation provable in 6#). For the sake of space, we will not do it 
but, in the completeness proof, we will point out the specific róle of each axiom. The 
soundness and completeness proof proceeds in two steps: first a reduced proof system 
is considered and its soundness and completeness for finite. processes is proven; then, 
the inference rules are used to establish soundness and completeness of 62. 


410 R. De Nicola, R. Pugliese! Theoretical Computer Science 238 (2000) 389—437 


Let ZF be the proof system obtained from @ by deleting rules IV(a) and VI in 
Table 10, dealing with possibly infinite terms. We shall write E C ,, F to indicate that 
ECF can be derived within 222. 

The next theorem states soundness of 442. Soundness of 6P will rely on partial 
completeness of AP; the soundness proof of 6P will be completed in Theorem 6.22. 


Theorem 6.2. For value-closed terms E and F,EC,,F implies EL F. 


M 


Proof. The soundness proof consists in checking that the preorder L, is preserved by 


^ 


the rules and that the laws are satisfied by L- . Rule I states that L- is a preorder. 


^M ~M 


Soundness of II and III stating the substitutivity of E. into PAL contexts is affirmed 


by Propositions 5.14 and 5.15. Soundness of IV(b), VII, VIII and IX can be easily 
proven by using the alternative characterization <,, of b. Rule V(a) is sound 


by definition of E. over terms which are open with respect to process variables. 
Therefore, soundness of the proof system for open (w.r.t. process variables) terms is 
an easy consequence of soundness for closed ones. Soundness of V(b) reduces to that 
of the axioms in Z2. The axioms in Z2 can be easily proven sound by using <,, 


instead of LF 


L 


~M’ 


Let us now concentrate on proving completeness of #2 for finite PAL processes. 
The proof rests on the existence of standard forms (see, e.g., [37]) for processes called 
head normal forms (hnfs). Similar forms were already used e.g. in [19,28,29]. Intu- 
itively, these special forms aim at describing processes as an internal non-deterministic 
choice among a set of initial states. In our framework, each initial state is represented 
by the initial events the process can perform and their derivatives. 

We start introducing the notions of closed and saturated set of events. For defining 
a partial order over acceptance sets, we must adapt the standard saturation procedure 
since our basic preorder «1, used for comparing finite sets of events, is not a partial 
order. 


Definition 6.3. A finite subset A of Ev is closed if for each e € A, there does not exists 
e' € A such that {e’} «1 {e}. We let 


cl(A) - ((, p) €A| AG p') € 4: JE pf(p')N pa( p) implies pj = pj} U Ev, (A). 


Proposition 6.4. < is a partial order over the set of closed sets of events. 


Proof. We must show that for all A and B closed subsets of Ev, we have that A <B 
and B «1A if and only if A = B. Obviously, if 4 = B then A <B and B «1A. Conversely, 
suppose that Æ <B and B «14. We proceed by contradiction. Let us assume that A Z B. 
Without loss of generality, we may assume that there exists e € A\B. Since A <B we 
get that there exists e' € B such that {e} <{e'}. The hypothesis e ¢ B implies e#e’. 
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Moreover, e’ ¢ A; otherwise it would contradict the fact that A is closed. Therefore, 
since e' € B\A and B «14, we deduce that there exists e" € A such that {e’} «1(e"]. 
By transitivity we get that {e} «1(e" which contradicts the fact that A is closed. 
Therefore, 4 — B must hold. | 


Corollary 6.5. c/(A) represents the equivalence class of A with respect to <. 


Proof. By definition, c/(A) is closed. Since c/(A) C A, by definition, we have c/(A) «14A. 
Moreover, for any e€ A we have that either e € c/(A) or there exists e' €c/(A) such 
that (e) «1(e'). Hence, A <cI(4). Therefore, from Proposition 6.4, it follows that if 
B is a finite subset of Ev such that A <B and B «1A then cl(4) —cI(B). O 


We can now define the notion of saturated set, which in our framework applies to 
finite collections of sets of events (i.e. acceptance sets, see Section 5). If Z is an 
acceptance set then we let Ev(.s7) denote the set LJ (4| 4 € 7) of all events in 4, 
Ev (2) denote the set of input events in A and Ev;,,(.»7) denote the set of output 
events in .o/. 


Definition 6.6. A finite collection ./ of closed sets of events is saturated, or is a 
saturated set, if the following conditions hold: 

1. ci(Ev(.s7)) € A; 

2. A,B€ A, C closed: AIC <B, CHA and CZ B imply C é X. 

Let sat(Ev), ranged over by .»7, B, etc., be the set of all saturated sets over Ev. 

It is always possible to transform an acceptance set .Y into a saturated set Z such 
that SCCB and CCA. We shall use the following construction. Let sat(.) be the 
greatest subset of W(.o/) = {cl(A)| A € S4 YU {cl(Ev(.))} such that 
1. cl(Ev(.7)) € sat(.»7); 
2. ACU(A)\{cl(Ev(.A))} and AB € (S7) (AV: B«1A imply A € sat(.» ). 

Note that for saturating a given collection of sets of events, instead of adding ele- 
ments to the collection (as, e.g., in [19,28]), we delete some of the sets in the collection. 
This is somehow similar to the “minimization” procedure of [16] and is essential for 
obtaining finite collections. The saturation of acceptance sets like {{(i,(5))}, (6, (_))}} 
would otherwise result in the infinite collection whose elements are sets containing 
(i, (5)) and events of the form (i, (v)), with v € Val\{5}. 


Proposition 6.7. For every acceptance set A, sat(S)CCA and J CCsat(A). 


Proof. We prove that sat(.»7)C C.» by case analysis on the elements of sat(.«7 ): 

e if A—cl(Ev(.s7)) then, by definition, VB € «7: B «14; 

e if Az cl(Ev(.s7)) then, by definition, 3B € «7: A—cl(B); hence B «14A. 

We now prove that <CCsat( V7). Let AE VA; then cl(A)EU(A). We have two 
cases to consider. If c/(A) € sat(.s7), then B —c/(A4) is such that B «14. Suppose now 
that c/(A) ésat(.s/). Since sat(./) is the greatest subset of 4/(. £7) which enjoys 
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properties 1 and 2 of Definition 6.6, then there must exist B € sat(.): B Xlcl(A) (oth- 
erwise also sat(./)U (cl(4)) would enjoy the previous properties); by transitivity, 
BoA. O 


Proposition 6.8. CC is a partial order over sat(Ev). 


Proof. We must show that for ./ and # saturated sets, we have that CCH and 
24 C C. if and only if = B. Obviously, if £ = then SCCB and BCCA. Con- 
versely, suppose that ACC and HCC.. We proceed by contradiction. Let us as- 
sume that 2 Z B. If A — cI(Ev(.s7)) € 2 then either 44’ € A\Z: A’ ZA (if cl(Ev(B)) 
X cl(Ev(.s7))) or IBE ZN«/: BRA and Bz cl(Ev(2)) (f cl(Ev(.s7)) «1l cl(Ev( 2))). 
Therefore, without loss of generality, we may assume that there exists 4 € ./N 2 such 
that A Z cI(Ev(.«7)). Since SCC, then there exists B € Z such that B «14. Moreover, 
BTCA implies that there exists Æ’ € Æ such that A’ «1B. By transitivity, we have 
A’ «A. Since .o is saturated and A Z cI(Ev(.«7)), then A' — 4. By Proposition 6.4, we 
get A=B which contradicts the hypothesis that A ¢ Z. OU 


We now introduce our standard forms for processes. 


Definition 6.9 (Head normal forms) 
e We let = to denote the least equivalence relation induced by the following rules: 
Bibe]=tt E Bibel =ff 
E &if be then E else F E Sif be then F else E 
e A partial function g : Ev — Proc is a normal function (nf) if 
(a) (o,ot) € dom(g) implies g((o,ot)) = out(ot).nil|P for some P; 
(b) (i, p) € dom(g) implies g((i, p)) —in(it).E, for some E, and g (it)= p; 
(c) g((, p1)) —inGirj).E, g((i, p2)) —in(it2).F and it; = it? imply 
Eo(it», it; ) = Fo(it, it). 
e A process P is a head normal form (hnf) if one of the following conditions holds: 
— P= »,,c49(€) where A is a closed set of events, g is a nf and dom(g) — A; 
- P= Yes 2 eca 9le) where M is saturated, g is a nf and dom(g) = Ev(.7). 


Let us comment on the definition above, where we have used a terminology intro- 
duced in Notations 6.1. Intuitively, if P & Q then Va € ct, P&R (P »— R) if and 
only if Q5 R (Q >— R), i.e. P and Q have the same derivatives, which, obviously 
imply that P and Q are equivalent. Moreover, recall that X` -g g(e) denotes nil; hence, 
nil is a Anf. From the definition it should be evident that if P is in Anf then P | e. 
The functional notation has been adopted for pointing out that in a Anf each event e is 
associated with a single term g(e). Condition (c) ensures that for each initial action « 
that a Anf P can perform, all « derivatives of P are ~-equivalent, hence testing equiv- 
alent. Indeed, (c) checks that whenever a tuple of’ € (ot | match(iti, ot), match(ita, ot) ) 
is accessed the obtained processes are ~-equivalent. Therefore, for a given o, we will 
not distinguish among « derivatives of a Anf P. In the sequel, we will consistently use 


the notation P, for denoting « derivatives of a Anf P. 
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The counterpart of head normal forms for divergent but finite processes are Q-head 
normal forms. 


Definition 6.10. A process P is an Q-head normal form, Q-hnf for short, if one of 

the following conditions holds: 

1. nil and Q are Q-hnf; 

2 deg uei PA is a Q-hnf if VA € A, Ve € A, PA is of the form in(it).E or of the 
form out(of).nil | P. 


For proving completeness, we need a special induction parameter, namely the largest 
number of communications that a finite process can perform. This parameter can be 
defined in terms of the maximal number of visible actions the process can do during a 
derivation. We define the depth of a finite process P as depth(P) = max(|p| |P 4 }. Let 
E denote a value-open finite process. We generalize the definition of depth by letting 
depth(E) = max{depth(P)|P value-closed instantiation of E}. Since we have confined 
ourselves to finite terms without process variables this number is finite. 

The following propositions about the existence of standard forms for processes will 
be used in the proof of the completeness theorem. The laws in Table 8 and OUT1 and 
EVAL in Table 9 are used for expressing the parallel operators in terms of the non- 
deterministic ones; the laws in Tables 6, 9 and 11 are crucial for obtaining saturated 
sets of events. All the laws in Table 11 can be derived within 222^. Indeed, the first 
two laws are easily derived from IN1 and INS, respectively. D3 and D4 can be derived 
in exactly the same way as the corresponding ones in [28]. The last two laws can be 
obtained in a similar fashion as Der3 in [28, p. 97]; in particular, D6 is obtained if 
IN2 and IN3 are used instead of the laws which in [28] correspond to D1 and D2. 


Proposition 6.11. For any finite process P there exists a Q-hnf, Q(P) such that 
PL. QP). 


Proof. The actual proof goes by structural induction on P (in case P = P||P» it further 
relies on depth(P,|P2)) and is omitted because it is similar to that of Lemma 3.4.3 in 
[35]. O 


Proposition 6.12. For any finite process P, P 1e if and only if P —,, Q. 


Proof. By the previous proposition, we may assume that P is a O-/nf. If P 1 e then P 
must be Q, otherwise (it must be either nil or of the form Ð` jey X ec4 P^ where P^ 
is as in Definition 6.10) it cannot diverge. Conversely, if P —,, Q then, since the proof 


system P is sound with respect to E we get P ^ Q. In particular this means that 
P «y, Q and then P 1 e. O 


To simplify the reduction of convergent processes to /mfs within 462^ (Proposi- 
tion 6.15) we introduce another special form for processes, namely head sum form 
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(hsf). We will show that every convergent process can be transformed into Asf and 
that every hsf can be transformed into Anf. Roughly speaking, a Asf is a process whose 
top-level operators are _@ _, -[]- or one of in(it)._ and out(ot).nil||_ in this order. 


Definition 6.13. The set of head sum forms, HSF, is the least set of processes which 
satisfies: 

1. out(ot).nil| P € BHSF,in(it).E € BHSF if fv(E) C var(it); 

2. X eca Pe EHSF if Ve cA: P, € BHSF; 

cee See Sc B EHSF if VA € £, Vee A: P^ € BHSF. 


Proposition 6.14. For any finite process P, if P | e then there exists a hsf, s(P) such 
that P =,, s(P). 


Proof. The proof is omitted because it is similar to that of Proposition 3.4.6 in [35]. 


Proposition 6.15. For any process P, if P | e then there exists a hnf, h(P) such that 
P =,, (P). 


Proof. Because of Proposition 6.14, we may assume that P is a hsf, say P= Y jey 
Ye, PA (the case P=5°>,., Pe is similar). By repeated use of law IN1, we can 
rewrite P in a hsf P geg > ,, c5 P? such that each BEZ is a closed set of events. To 
make PP independent of B we repeatedly use laws MIX1, MIX2, OUT2, IN2, D5 and D6. 
The resulting Asf is of the form »7,-, > ecg &; however, condition (c) of Definition 
6.9, in general, is not satisfied. Laws IN2 and D6 (which generalize law IN3) can be 
repeatedly used to obtain a Anf Y geg > ecg Q such that if we define g(e) — Q/ for 
each e € Ev(¥) then g is a normal function. The last step consists in saturating the Asf 
sca 22ecp 9e). This is the only missing requirement for hsf to be a hnf; it can be 
satisfied by using laws D3 and D4. 


The relation we are going to define permits syntactical comparisons of /mfs at their 


top level. It is a bridge between the semantical relation —. and the proof-theoretic 


~M 


one C, . In the following we shall use .7.«/(P) to denote the set of actions P can 
(initially) perform, i.e. S.A (P) — (x € «ct | P' : P P"). 


Proposition 6.16. If P and Q are hnfs, P&,,O implies P, LU. Qa, for each a € .4 (P) 
NI AQ). 


Proof. We have two cases to consider according to « = ot! or & — ot?. In the first case, 
if P, mustO, let O' = (in(ot).O)[]isucc; then P must O'. Therefore, by hypothesis, Q 
mustO'. Since Q | O' :—* Q,| O it follows that Q, must O. The case «= ot? can be 
proven similarly but with O’ = ((out(ot).nil)||O)[Jisucc. O 
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Definition 6.17. Let P and Q be hnfs. We write P « Q if ./. /(Q) C ././(P) and one 
of the following conditions holds: 

1. P= »*,e4gi(e) and Q = 55,c,9gx(6); 

2. P = b cu Deca ie) and Q = Yyca > ecg 92e), with BOCCA; 

3. P = Yey Deca gle) and Q = $ <2 gx(e), with A IB for some A€ oA. 


Proposition 6.18. If P and Q are hnfs then PL- Q implies P < Q. 


^M 
Proof. We start proving that 47(Q)C . (P). We show that if there exists «€ 
IA(Q)\IA(P) then P E, Q. Suppose that «=ot! € JA (Q)\IA(P) and take the 
observer O = in(ot). nil[]isucc. Since P | e (indeed P is a Anf) and «¢ ZA(P), i.e. 
a¢L(P), then P must O. However, we can construct the unsuccessful computation 
Q|O >—* Qonl|nil hence Q mist O. If «=0t? we can argue similarly by using the ob- 
server (out(ot).nil)[]isucc. Therefore, JA (Q) C I.A(P) and we are left to prove that 
one of the conditions in Definition 6.17 holds. 

Suppose that P= >°,-,91(e). The hypothesis P<,, Q implies ./(Q,¢)CC.A(P, e) = 
{A}, ie. VBE A (Q,£€): A <B. This implies A «1Ev(Z) and then A <cl(Ev(Z)). Since 
IA(O)C IA(P) then cl(Ev(Z)) <1 cl(A)=A. Hence, 4 =cl(Ev(¥)) and since Z is 
saturated A € Z. Therefore, for each BE Z, A—cI(Ev(2)) «B <Icl(Ev(Z)) =A, i.e. 
B= {A}, and Q must have the form »5,., g»(e) and condition 1 of Definition 6.17 
holds. Suppose now that P = jes $5, -,g1(e). We have two cases to consider ac- 
cording to the syntactic form of Q. First, assume that O = Dope * ecg 92(e). We must 
prove that condition 2 of Definition 6.17 holds, i.e. that Z/CC.«. This directly follows 


from the fact that — and <,, coincide. Indeed, by definition of «V, , the hypothesis 


~M 
P CO implies that Z = ./(Q, £)C C. (P, 2) =A. Suppose now that Q = -peg g»(e). 
We must prove that condition 3 of Definition 6.17 holds, i.e. 34 € .: A <B. From the 
syntactic form of Q it follows that ./(Q, c) — (B). Since P<,, Q, then A € A exists 


such that A «1B. 


Proposition 6.19. Let P and Q be hnfs such that P<Q; then PCT,, Q if for each 
x € IA(Q), P,U,,Q;. 


Proof. Since 47(Q)C .X«/(P) then S(Q)<1S(P). Let gı and g2 be the normal func- 

tions associated with P and Q, respectively. Let us consider the process A defined by 

substituting in Q each go(e) with g3(e) where g3:S(Q) — Proc, by using Notation 6.1, 

is defined as follows: 

e if e— (o,ot) then g3(e) — gi(e); 

e if e— (i, p) then g3(e) —in(it).Eo(it, it’) where it, it’ and E are such that go(e)= 
in(it).F for some F, it’ = it, de’ € S(P): (e) <{e'} and, by possibly applying rule 
IX, gi (e^) =in(it’).E. 

By using the hypothesis and by applying rule II (case |) for « of the form ot! and 

rule III for x of the form of?, it is straightforward to show that gs(e) E, g»(e) for 
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each e € S(Q). Therefore, by using rule II, we deduce that RC, Q. If P is of the 
form 5 ;,-,gi(e) then P = R and we have finished otherwise we use laws D3 and D4 
(in the reverse direction of the saturation procedure described in Proposition 6.15) for 
rewriting P in the form egna) Zeca gi(6) € Preg Deen d3(e) where / and ZB 
are the saturated sets associated with P and Q, respectively. By applying law IC4 it 
immediately follows that P Q and the thesis is proven. O 


SRP 


We can now prove partial completeness of ZF. 


Theorem 6.20. For all processes P and Q, P finite, P — Q implies PE,, Q. 


Proof. If P1: then P —,, Q (Proposition 6.12) and the thesis follows from law UND1. 
Otherwise, P | ¢ and therefore there exists a Anf, h(P) such that P —,, h(P) (Proposition 
6.15). Soundness of 222 with respect to <,, implies that P and h(P) have exactly 
the same traces and, then, depth(P) — depth(h(P)). The hypothesis implies that Q | e, 
hence, by Proposition 6.15, there exists a Anf, h(Q) such that O=,, h(Q). We are left 
to prove that A(P) C,, h(Q). We proceed by induction on depth(P). If depth(P)=0 
then A(P)= nil. Because of soundness of HP, the hypothesis implies h(P)<,, A(Q). 
Therefore it must be /(Q) = nil and the thesis for this part is proven. Suppose now 
that depth(h(P))>0. From Proposition 6.18, we have that h(P) < h(Q). In particular, 
this means that .X«/(h(Q)) C ZA (h(P)), hence Xs(h(Q)) ns (h(P)) = Xv (h(Q)). 
By Proposition 6.16, we deduce that for each « € AVA (h(Q)): h(P), E. h(Q),. By the 
inductive hypothesis, we deduce that for each x € JA (hA(Q)): h(P), C,, h(Q),. From 
Proposition 6.19, we obtain the thesis. 


Now we consider the full proof system @¥Y. The proposition below (that relies on 
partial completeness of ZY) will be used for proving soundness of 6P. There, P" 
denotes the nth finite syntactic approximant of P. 


Proposition 6.21. For any process P and any observer O, if P must O then there 
exists n>0 such that P" must O. 


Proof. To prove the thesis it suffices to show that there exists a finite R such that 
RC,, P and R must O (it is, indeed, routine (see, e.g., [28]) to show that, for any finite 
process P and any process Q, PE,, Q implies PE,, Q” for some nz 0). Suppose now 
that P must O and consider the computation tree from P|O with branches pruned to 
obtain a tree whose leaves are all those nodes that can perform c; call this tree T. 
Since, for each process R, ID(R) is finite (Proposition 4.4), then T is finitely branching. 
Hence, since P mustO, by Kónig's lemma, it follows that T is finite. The proof now 
proceeds by induction on the maximal number of communications between P and O 
in a path from the root to a leaf in T. It can be easily seen that this number does 
not change if we consider the computation tree from P’|O for any P' that is testing 
equivalent to P. If P 1c then it must be that O and we can take R=Q. If P |e 
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then (using partial completeness of 422?) we may suppose that P is in inf and we can 
reason by case analysis. 

Suppose that P =} <4 g(e). A process R is built up out of the finite processes Re, 
for e € A, defined as follows. 

e — (i, p). Let P, and it be such that g(e) —in(it).P;. Consider the set 


Pairs(it) = {(ot, O')| O Oi Oe O', match(it,ot), W0<j<k: O; ^) 


For each (ot, O') € Pairs(it), we have P|O >—* P.[ot/it]|O’, thus the hypothesis 
implies that P;[ot/it] must X, (O" (ot, O") € Pairs(it)}. By the inductive hypo- 
thesis, there exists a finite process Reor such that Re ot E, P;[ot/it] and Reo 
must X (O" | (ot, O') € Pairs(it)}, i.e. Rio; must O” for each (ot, O") € Pairs(it). 
Let mt(e) = (ot | 3O' : (ot, O') € Pairs(it)). Since, for each R, OT(R) is finite 
(Proposition 4.4), then mt(e) is finite, say mt(e) = (0t1,0t5,...,0t,). We can define 


R.=if bem(it,ot!) then Reon else ...if bem(it,ot") then Reor else Q 


By rule VII it is easy to check that Re[ot/it] E „, P;[ot/it], Vot : match(it, ot). 
e — (o,ot) Let P, be such that g(e) = out(ot)nil| P.. If the set 


Get(ot) — (0' | O > 01 »— ... OS O', VO j&k:0; 4} 


is not empty, then P, must v; (O' | O' € Get(ot)). By the inductive hypothesis, 
there exists a finite process R’ such that R, C,, P, and R, must Y, (O'|O' c 
Get(ot)}, i.e. R must O' for each O' € Get(ot). In this case we define R, = R}. 

If Get(ot) — 0 then we define R, = Q. 
Now we define R = »5,.,g'(e) where Vec A:g'(e) = g(e)[R-/F]. By construction, 
R must O and, moreover, by using rules II and III, it can be easily seen that RE, P. 
Suppose that X` yey X eca gle). For each A € A, »^,-,g(e) must O. By repeating 
the above construction, we get that, for each A € . 7, there exists a finite process Ry 
such that R4 Eps »5,-,g(e) and Ry must O. We define R=) JeRa and the thesis 


follows (by using rule II) O 


Theorem 6.22. For all processes P and Q, PL,,Q implies P E. Q. 


Proof. We are only left to show that rules IV(a) and VI are sound. Rule IV(a) is 
derivable from the other axioms and rules in GF (see, e.g., [19]) and therefore it is 
sound. Soundness of the c-inductive rule VI easily follows by Proposition 6.21. 


Finally, completeness of the full proof system can be established. 


Theorem 6.23. For all processes P and Q, P CO implies P E, Q. 


Pa 


Proof. Suppose that PL Q. A standard result of algebraic semantics (see, e.g., [28]) 


^JM 


states that since L- satisfies I, II, III, IV(b) and UND1 then for every nz 0 : P" E. Q. 


^4 
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By completeness of 2/2, we can infer that for every n>0, P"L.,,Q and, then, for 


every nz0, P"L..,Q. Now, we can apply VI and conclude that P EzE 


6.1. Using the proof system 


In this section, we show how the proof system can be used for proving correctness 
of simple programs that permit adding two arrays elementwise. We already assumed 
that the language is parameterized on a countable set of values, Val. Here, we require 
that Val be the Natural Numbers. Let A and B be two arrays of n naturals. We 
shall consider PAL processes which add A and B elementwise leaving the result in an 
array C. 

To better exploit the parallelism intrinsic in the problem, every array is represented 
as a distributed data structure [13]. Hence, we shall use a tuple for every single 
element of every array. To represent A, B, C we shall use n tuples with three fields: 
the first one contains a constant 0, 1, 2 which identifies the array, the second one the 
index i of the element and the last one the value 4j, B;, C; of the element. 

The processes we consider add elements of A and B with the same index, if they 

both exist, for any (finite) length arrays. Let us consider the PAL processes 
e Q = recXin(0, x, y).eval(X ).in(1,x,z).out(2, x, y + z).nil, and 
e P, where P; = ojo and P;,; = O|P,, for j>2. 
We want to show that process Py obtained by putting in parallel k copies of Q is 
provably equal to Q, that is P, —,, Q. We may think of Q as a process which executes 
on a single processor and is able to dynamically reproduce itself when a new element 
of array A is accessed. Each instance computes an element of array C. The number of 
instances which are concurrently active depends on the difference between the number 
of elements of A and that of elements of B which have been accessed. We may think 
about P; as a really distributed process consisting of k copies of process Q which are 
simultaneously executed on k different processors. In this sense P, may be thought of 
as a more efficient and fault-tolerant solution of the problem than Q. 

Rather than using the full power of 4&2, we will use a simpler induction rule. Here 
we use a powerful but simple form of induction for dealing with recursively defined 
terms, namely Unique Fixpoint Induction [28], which is expressed by the following 
rule: 

UFI E= TEX where X is guarded. 
UFI can be derived within @F (see, e.g. [19]) and here it can be correctly used since 
all terms we examine are guarded, i.e. all occurrences of process variables are preceded 
by a blocking prefix. 

We proceed by induction on k. Firstly, we prove that P; —,, Q. The term Q is 
recursively defined and in order to show 


P» =recX.in(0, x, y).eval(X ).in(1, x, z).out(2, x, y + z).nil 
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we can use an instance of UFI. Hence, it is sufficient to deduce 
P» = in(0,x, y).eval(P> )in(1,x, z).out(2, x, y + z).nil 
that 1s, by applying EVAL, 
Pj — in(0, x, y).(P2|in(1, x,z).out(2, x, y + z).nil). (1) 


This may be proven by using a standard strategy, consisting of expanding out the 
recursive definitions and applying the laws for parallel operators and the interleaving 
law PAR3. 

By expanding out the recursive definitions and applying EVAL we get 


P:=0|Q 
= in(0,x), y, ).(O|in(1,xi, z; ).out(2. xi, yı + z1 ).nil) 
lin(0, x», y, ).(Olin(1, x2, z; ).out(2, x», y2 + z2).nil). 
Since 
Q =in(0,x,, y, ).(Olin(1,xi, z, ).out(2, xi, y: + zi ).nil) 
and 
Q = in(0, X»; JY» )Q|in(1, x2, 22 ).out(2, x», Jy2 T 22 ).nil), 
by applying the interleaving law PAR3 we get 
P =in(0,x,, y, )-(Q|Olin(1, x1, z, ).out(2,x1, yı + zi) nil) 
[Jin(0, x». y, ).(O|O|in(1,x2, z; ).out(2, x», y2 + z2) nil). 


By applying IX for renaming the variables bound by input prefixes and EC3 for 
coalescing the two summands of [] we get Eq. (1) and then we conclude that P2 =,, Q. 

Now, we prove the inductive step. We assume that P; —,, Q. By applying II with 
hypothesis QE Q and P; C Q in the case of the operator | we get 


Pi QI5 C Ql = P»- Q. 


In a similar way we can derive that Q C P;,, and therefore we conclude that P; =,, Q 
for all k>2. 


7. Denotational semantics for PAL 


In this section we define a denotational semantics for PAL and prove that it is 
fully abstract with respect to the testing preorders. The denotational model shall be 
given under the form of a natural interpretation. This is a slight variant of the usual 
algebraic semantics (see, e.g. [25,28]) and it has been introduced in [31] for dealing 
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with languages with value-passing (see, e.g. [31,29,35]). Much of the following notation 
is borrowed from [29,35]. 


Notation 7.1. We will write Ax.[be(x)] — g(x), (x) to denote a function f which is 
defined by f(x)=g(x) if be(x), f(x) — h(x) otherwise. 

Let 41,45, B, and B; be sets and f;:4; — Bj, j — 1,2. Let W denote disjoint union 
between sets. We let fı f; denote the function with functionality 4; W A2 — B, W B2 
defined by 


fi(a) if ac€A;, 


Cfi e f2)(a)— m if a € 45. 


Let f be a function from a cpo (complete partial order) D to a cpo D'; we will use 
dom(f ) to refer to D (the domain of f) and we let support( f) ^ (d € dom(f)| f(d) 4 
1}. 0 will be used to denote the empty (totally undefined) function (i.e., if 0 is a 
function from D to D', dom(0) — D and support(0) —()). If I is a set of elements of 
a cpo (D, €,), we will use UZ for denoting the least upper bound (lub) of I with 
respect to. €, , if it exists. 

We let Fin(S — D) denote the set of partial functions from a set S to a cpo (D, <,,) 
with finite domain, and let Fin,(S — D) denote those functions with finite support. On 
both the sets, we will use the following non-standard ordering: 


f 3, g iff dom(g) C dom( f£) and Vs € support( f) dom(g): f (s) <p g(s). 


Note that the more defined the partial function is the smaller it is for <, . It holds that 
if (D, €,) is a (w-algebraic) cpo then (Fin(S — D),, 3,) and (Fin,(S D)1, 35) 
are (c-algebraic) cpo's as well (the proof can be done along the lines of that of 
Lemma 3.3.5 in [35]). 


7.1. The model AT“: acceptance trees for Linda 


Due to its computational nature, we choose to interpret the language in some cpo 
D where recursive definitions can be interpreted. To each of the operators in X^" 
we associate a continuous function over D of appropriate arity. The only exceptions 
are the eval prefixing, which is a derived operator and whose denotational semantics 
is given by using the parallel operator, and the if be then . else .. For the sake of 
simplicity, in the following we will use X^ to denote the set of all PAL operators 
with the exception of prefixing by in,read and eval, and of the conditional construct 
if be then . else .. 

The input prefixes cannot be interpreted similarly, as they are binding operators for 
value variables, and we need an extra structure for interpreting them. For example, 
when var(t) Æ Ú, in(t).. can take an open term and return a process. An appropriate 
type for an input operation is 


AEIT x (EOT ^ D) —5 D 
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where D is the proposed interpretation of processes. read(t).. can be interpreted simi- 
larly. 


Definition 7.2. A natural interpretation for PAL is a quadruple (D, «€, , X7 .in,) 

where 

e (D, <p, X.) is a X-cpo, i.e. (D, <,) is a cpo on which is defined a continuous 
function for each operator in the signature X7, 

e inj: AEIT x (EOT ^ D) ^D is a total function continuous in its second argu- 
ment, (where (EOT — D) inherits the natural pointwise ordering, denoted by C, , 
from D). 

Given such a natural interpretation D, we can define a denotational semantics for 
PAL. To cope with open terms, we use D-environments, i.e. mappings from 2 (the 
set of process variables) to D. Env,, ranged over by 6, will represent the set of 
D-environments. 

The denotational semantics is given as a function Z[-]: PAL — (Env, — D) defined 
by structural induction via the following clauses: 


1. AXE - éx) 

2. g[Q]é =, 

3. Z][nil]£ = nil, 

4. 9[Eop F] = 2[E]& op, Z[F]& where op € ( 6.[L.]. L Il} 

5. Dleval(E). F]é = 2[E]£|, AF IE 

6. Djout(t). EJ = out? (Z[E]£) where ot = Off] 

7. Dlif be then E else F]é = Z[E]C if Z[be]— tt 
Zlif be then E else FE = 2[F]É if Z[be] =f 

8. Z[recX . E = Yad . Z[E]C[d/X] 

9. Dlin(t). E]é =in,( (o C7[t]), g) where g= Ax.[match(-7|t], x)] ^ 2[E[x/-7|t]]]6. Lp 
Z[read(t) . E]£ = in,( 9 C7|t]). g) where g = Ax [match I]t], x)] — (out; (nil, )|, 
DEL IMO» Ls 


where Y is the least fixed point operator for continuous functions in D. 
In the rest of this section we shall construct a particular natural interpretation AT” 
that properly reflects the testing preorder Le It rests on a w-algebraic X-cpo, i.e. 


N 


an algebraic cpo with a countable set of compact elements. As the interpretation is 
algebraic, it is completely determined by its compact elements. 

The construction of the model 47^ rests on the description of the set fA T* of its 
compact elements and on the description of the relative partial ordering < 


S arl’ 


Definition 7.3 (Compact elements). We define the cpo (fAT*, X yp) by 
e fA T” is the least set that satisfies the following requirements: 
1. Le fat’ 
2. if £ €sat(Ev), fom € Fin(EOT 5 fAT^),, dom( fom) = 7 (Evou(L)), 
fir € Fins(EOT  fAT^), and dom( fir) = MT (A(Ev;,(A))) then 
(A, fir W Soud €fAT'. 
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e Sun is defined as follows: 
1. L< „T for all TcfAT" 

2. (A, fi W Jout) < ATL (B, Iir W Bout) if BOCCA, fir Soke Gir and fout d Jout. 
We shall write fi, fout S un gir © Jour aS Shorthand for fir S si gir and fout S s Jout- 
Note that the less deterministic the process is the less is it in the order. 

Now, we turn the poset fAT” in a X-po algebra by providing a X-algebra structure 
to it. To this aim we must define a monotonic function for each operator in X^ and, 
in addition, an input function of the correct type monotonic in its second argument. 

We start defining the special function inj; for input prefixes; then, we shall define 
the functions in 2 


inari : Define inj: : AEIT x Fin(EOT > fAT") 5 fAT^ by 


inari (p,g)— (IG PS W 0) 


where dom( f) = MT ({ p}) and Vot € dom( f): f (ot) = g(ot). 
nilar: Let nilar, be the tree ({0}, 0 w 0). 
Qarr: Let Qarı be the tree L. 
out’ :For every ot € EOT, define out?! 


fATL 
out? (T) = ({{(0, 08) }}, 08 f) 


where dom(f) = {ot} and f(ot)=T. 
® arı (internal choice): Define @ 44. (fAT” x fAT") > fAT" as 


Jf AT, 5 fAT” by 


ATAU. if T=L or U=L then L 
else let T — (f, fr Y fou) and U = (B, gir Y Jout) 
in (sat(.s£ U B), hir & hout) 


where Vot € Z (Evoy(sat( SU B))), if y —out, and Vot € MT (A(Ev;,(sat( A U B)))), 
if y — ir, it holds that 


fy(0t) 6 artg,(ot) if ot € dom(f,) n dom(g;) 
h,(ot)= 4 fiot) if ot € dom( f,)\dom(g,) 
g; (ot) if ot €dom(g,)\dom(f,) 


[lure (external choice): Define [ları :(fAT” x FAT”) 5 fAT^ as 


ATAU. if T=L or U=L then L 
else let T — (sf, fi, Y fou) and U = (B, gir 9 Jou) 
in (sat(.s V B), hir & hou) 


where Z V B is the pointwise union of £ and Z, i.e. the set [AUB|A€ AS,BE 4j), 
and h; and hou are defined as in the case of the @ arı operator. 
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ları (parallel composition): Define |r: :(fAT” x fAT’) 5 fAT" as 


ATAU. if T=L or U — 1 then L 
else let T — (sf, fr Y fou) and U = (B, gir Y Jou) 
in Y an(Tag|A€ A,B EBY 
where 

Tas =if INT(A,B)=0 

then sumext(A, B) 

else (sumext(A, B)[]jare sumint(A, B)) ® are sumint(A, B) 
sumext(A, B) = YX arı EXT (A, B) 
sumint(A,B) =P) «,,INT(A,B) 


INT(A,B) = (fot la gouCot) | ot € (F (Evou(B)) N MT (PEviA))))} 
U UfouCot a gi Cot )| ot € (F (Evou(A)) D MF (A Evi B))))} 


EXT(A,B) = (inanCp, f^) | p € (Evi (A)), dom( f^) = dom( fir), 
Vot € dom( f") : f'(ot) = fy (ot)|ai U} 
U (ins Cp. g^) | p € PEvir(B)), dom(g ) = dom(Gir), 
Vot € dom(g'): g' (ot) =T |jart gir(ot)} 
U (out? (fou (Ot |a U) | ot € F (Evou(A))} 
U (out? (T lar gou(ot)) | ot € 7 (Evo, (B)))- 


lare: (communication-merge): Define || art : (fA T” x fAT') 5 fAT* as 


AT.AU. if T — or U= Lthen.L 
else let T — (M, fr Y fou) and U = (B, gir Y Jout) 
in Y arı (sumint(A, B) | A € .£,B € B} 
where sumint(A, B) is defined as in the case of the |,,,; operator. 
ları (left-merge): Define | arı :(fAT’ x JAT) 5 fAT^ as 
AT.AU. if T= then L 
else let T — (M, fir fou) 
in (A, hir & hout) 


where dom(h;,)=dom( fir) and dom(h,;,,) =dom( fou), and Vot € F (Evou(.7)), if y 
— out, and Vot € MT (PA(Ev;-(.A))), if y — ir, it holds that h,(ot)= f (ot)|ar U . 
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Remark 7.4. Our ordering between partial functions and the distinction between do- 
main and support of a (partial) function permit discriminating between functions “un- 
defined in d" and functions “evaluating to L in d". We can now show, by means of 
a simple example, why this discrimination is important for our theory. Consider the 
following two processes P = in(7).nil and Q = in(z).if z — 7 then nil else Q. It can be 
easily seen that P E Q and that Q E, P (take the observers out(5).in(5).success.nil 
and out(5).nil | success. nil, pct "However, if we adopt the standard denotational 
approach and look at “partial functions" as “global functions evaluating L outside their 
domain", thus 


dom( f) — (ot € EOT | f(ot) # L} 


and 


S San g iff dom(g) C dom( f) and Vot € dom(g): f(s) S „rı 95). 


we would have Z[P] — ((1(5, 7). gp 9 0) and Z[Q] — (((G. -)}}, go 9 0) where func- 
tions gp and go are OD ur equivalent to g= Zx.[x — (7)] — nil;,7;, L. There- 
fore, since (((5 .)) JC C (1G. 7)) J, we could wrongly conclude that 7[P] < ,, 210]. In 
our approach, instead, we have dom(go) = MT ({(_)}) = {(v) € EOT |v € Val} £1(7)) 
=.UF({(1)})=dom(gp), hence gp A,,,, go and then FP] £ par 21O). 


Proposition 7.5. (fAT”, X a ° Zari) ls a E-predomain. 
Proof. Since ( fAT", S au) is a poset with least element and since, by definition, 


Qj, is the bottom element of fAT^, we are only left to show that each function in 
2,7. is well-defined and monotonic. These proofs are routine. [1 


Proposition 7.6. inj; is well-defined and monotonic in its second argument. 


Proof. Recall that, by definition, if pc AEIT and g€Fin(EOT —fAT^) then 
inar p,g) = ((((, p)}}, f © 0) where dom( f) 2 AZ (1 p}) and for all ot € dom( f): 
f (ot) — g(ot). It is obvious that inj;; is well-defined, i.e. inui Cp. g) €fAT™. 

We must show that inr is monotonic in its second argument. Let us assume that 
91,92 € Fin, (EOT — fA T^) are such that gı S arı 92 (recall that < is the pointwise 
ordering inherited from f/AT^). Define jj, for j — 1,2, by 
e dom fj) — U7 (pj), 

e f(ot)=g,(ot), for all ot €. WT (| p]). 


Since dom( fi) — dom(f3) - WZ ({p}) and Vot € support( fi): fi(ot) = gi(ot) < S pri 
g2(ot) = fa(ot), then fi < S or fo. The monotonicity of in,;; in its second argument 
follows. O 


fATL 


Now, we can use a standard technique of algebraic semantics, known as comple- 
tion by ideals, for obtaining the algebraic cpo's (£AT^)** and (Fin,(EOT — fAT^ )y* 


R. De Nicola, R. Pugliese! Theoretical Computer Science 238 (2000) 389—437 425 


and the unique continuous extensions of the previously defined monotonic functions 
[28, Theorem 3.3.10]. The crucial point is that the algebraic cpo's ((Fin,(EOT 
SAT yer <fAT") and ((EOT > (fAT^ y»), S „rı ) are isomorphic. Since, algebraic 
cpo's are completely determined by their compact elements, it suffices to show that 
(Fin(EOT —fAT^), <,,,,) and (ComkEOT — (fAT^ y»), < (where Comp(EOT 


—(fAT Loo) is the set of compact elements of (EOT —( fAT.y»)) are isomorphic 
as partial orders; but this follows from the fact that fA T” and Comp(( fA y y?) are 
isomorphic. 

The required process interpretation domain D is then (fA Ty that we will call 
AT"; this together with the extended functions give a natural interpretation of PAL pro- 
cesses. For the sake of simplicity we name the continuous extensions as the monotonic 
functions; they do extend, but replace the subscript £AT^ with AT“. 

The next two results follow directly from the standard algebraic semantics theory. 


fATL ) 


Corollary 7.7. (AT^, € ,,Z; 


qu) is a X-domain. 


Corollary 7.8. (AT^, € |, , X, inj) is a natural interpretation. 


ATL ? 


7.2. Full abstraction of the denotational interpretation 


In this section, we shall prove that the denotational model A7^ is fully abstract with 
respect to the proof-theoretic preorder E,,, i.e. for all processes P and Q, PE, Q if 
and only if Z[P] € ,,, Z[Q]. Since we have already proven soundness and completeness 


of the proof system €^ with respect to the behavioural preorder L- , this will enable 


E 
us to conclude that the denotational model A477 is fully abstract with respect to the 
testing preorders. 

We start by considering only finite processes and proving a full abstraction result 
for them; then we will generalize the result to general PAL processes. 

The use of compact elements of the model will be essential. These elements, in 
general, do not correspond to finite processes because (finite) processes can input (one 
of) an infinite set of tuples, ie. processes may not have finite breadth. Therefore, 
by relying on Notation 6.1, we introduce the notions of finite-breadth approximants 
and compact processes. We will show that the compact elements of the cpo are the 
semantic denotations of compact processes, and that every (recursively defined) process 
is semantically the limit of a directed set of compact processes. 


Definition 7.9. For each finite process P, the set of finite-breadth approximants of P, 
Fba(P) is inductively defined as follows 

. Fba(Q) = (Q1, Fba(nil) = {nil}, 

. Fba(out(t).Q) = (out(t).O' | O' € Fba(Q)}, 

. Fha(eval(P, .P.) = {eval(Qy ).O2 | Qi € Fba(P,), Q> € Fba(P)}, 

. Fba(P op P.) - (Qi op Q»|Qi € Fba(P,), Q, € Fba( P3), op € (6, D. |. L ll} 

. Fba(if be then P, else P.) = (if be then Q; else Q, | Q; € Fba(P;), j — 1,2], 


Un RU R2 o— 
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6. Fba(in(t).E) = {in(t).O(M) | it = Ait], M Cg, 7((Q(t)) Vo! EM: Qoy € 
Fba(E{ot! /it])) 
Fba(read(t).E) = {read (t). Q(M) | it = It}, M Cg, MT ({ p (it)}), Vot! EM : Qui € 
Fba(E[ot! /it])) 
where Q(M) «if bem(it, ot!) then Q, else...if bem(it, ot") then Qom else Q 
whenever M = {ot!,ot?,...,0t}. 
We shall say that a (finite) process P is compact when there exists a finite process Q 
such that P € Fba(Q). 


By construction, we have that for any finite process P, if Q € Fba(P) then QL,, P 


SRP d 
The following proposition states relevant properties used for proving full abstraction. 


Proposition 7.10. Let P and Q be finite processes; then 

1. RE Fba(P) implies 2[R|] c AT", ie. Z|R] is compact in AT"; 

2. (9[R]| R € Fba(P)) is directed in AT’ and [P] - | | [Z|R]| R € Fba(P)); 

3. R is compact and RC, P imply that there exists R' € Fba(P) such that RE, 
4. VR € Fba(P): RG,, Q implies PT, Q. 


SRP 


Proof (Outline) 

1. It directly follows by structural induction from the definition of finite-breadth ap- 
proximants of a process. 

2. The proof proceeds by structural induction on P and exploits the continuity of the 
operators on AT“. The only difficult cases are when P=read(t).E and P = in(t).E 
for those E such that fv(E) C var(t). Here we only consider the former, the latter 
can be dealt with similarly. 

By definition of Fba and of 2J - ], and by structural induction 


(9[R]| R € Fba(read(t).E)] 
= (jread(t).Q(M]| M C pin WT ( p (iNY), it = Flt, 
Vot! € M : Ry; € Foa(E[ot! /it])} 
= (inis e (it), g) | it = Ft], g E€ G}. 


where Q(M) is the process introduced in Definition 7.9(6) and 


G={g:EOT —fAT* | g = (Ax. [x eM] > (out, (Nil part Jlar ZUR], L), 
M C fin MT({ p (it)}), Yx € M : R € Fba(E|x/it])]. 


Indeed, T |... =L (by definition) and M C j;, MT ({ (o (it) ) imply 


Ax.[match(it, x)] > (out; i (nil p lyar: (Lx € M] > FRx], L), -L 


= Ax.[x € M] > (out), (nilar )| jani Z[R,]), L - 
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By inductive hypothesis, for x € ZZ (( p (it)}), (2[R,]| R; € Fba(E[x/it])), and 

then ((out?,, (niljrt Jart ZR«]) | Re € Fba(E[x/it])), is directed in AT’. Thus G is 

directed in (EOT — AT“) and (9[R]| R € Fba(read(t).E)) is directed in AT’. 
Since ingr: is continuous in its second argument, we have 


|_| {A|R] |R € Fba(read(t).E)) 
= | {in ( @ (it), g) | it = Ft], g € G} 
= ins ( 9 (it), |] G) 


On the other hand, by inductive hypothesis and continuity of the operators on AT’, 


Ziread(t).£] 
= inq ( o (it), Ax.[match(it, x)] — (out, (nila )\are ZLE[x/it]]), L) 
= inq ( @ (it), Ax.[match(it, x)] ^ 
(out, (nil sce L] LER] | Re € Fba(Elx/it1)})), 1) 
= ins ( 9 (it), | |K) 


where 


K={f:EOT > AT? | f =(x[match(it, x)] (out, (nila )\ art Z[Ry|), L), 
Vx € MT (1 Qo (it)}): R, € Fba(E[x/it])}. 


We are only left to show that | | G —| |K. Since GCK then obviously | |G < ,,, LIK. 
On the other hand, let f €K and consider the chain of functions (g;|j 20] C H 
with, Vj Z0, g; defined by g; — Ax.[x € Mj] 5 f(x),.L where MCMC». is a 
chain of finite subsets of EOT such that J, M; — “7 (1 p (it)}). It is easily seen 
that | | 1g; |J 20] = f. We can now deduce that | |K € ,, _]G, and then| |G =| | K, 
by applying the following fact from the theory of cpo's: given X and Y subsets of 
a cpo D with s, —| | X and s, —| JY, if for each y € Y there exists 4, C X such 
that y —| | 4, then s, S, s. 
. The proof proceeds by induction on the depth of the proof of RC,, P within the 
proof system 222. Here, we consider the case when III is the last applied rule. 
If III is the last applied rule for deducing RE,,P then, since R is compact, 
there exist it € EIT, M C y, MT({ o (it))), E and F finite such that fw(E)C 
var(it), fw(F)Cvar(it), R=,,in(it).E, P—,,in(it).F, Vote AL Z(((it)))N 
M :E[ot/it]| 2,, Q and Vot € M : E[ot/it] E, F[ot/it]. Since Vot € M : E[ot/it] is 
compact, by induction we may assume that Vot € M, IRo; € Fba(FTot/it]) : E[ot/it] 
C,, Ror. Let us now consider process A" = in(it).Q(M) (where Q(M) is the process 
introduced in Definition 7.9(6)). By definition, it follows that R” € Fba(in(it).F). By 
applying rule III we deduce that RC,, R”. Since R” c Fba(in(it).F) and P —,, 
in(it).F imply that there exists A' € Fba(P) such that A" —,, R', we conclude that 
RE R 


SRP 
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4. Suppose that VR € Fba(P): RC,, Q and that P must O. By paralleling the proof 
of Proposition 6.21, we can prove that for any process P and observer O, if P 
must O then there exists a compact R such that R must O and RE,, P. Since R is 
compact and R E ,, P then from part 3 of this proposition we deduce that there exists 
R' € Fba(P) such that RC,, R'. By hypothesis, we have that R’ C,, Q. Therefore, 


R must O implies Q must O. O 


To prove full abstraction for compact processes (Proposition 7.17), we shall use an 
alternative characterization of < E 
Definition 7.11. Let T, U €fAT’, a € «/ct and p € Act". 

e We write TŠ U if one of the following conditions holds: 

— a — otl, T — (s, fir 8 four), (0,0t) € Evo (7) and U = fow(ot); 

— a—ot?, T=(4, fr W fou), dit: match(it,ot) ^ (i, o (it)) € Evi (£) and U= 

fuot ). 


e The acceptance set of T after p 1s 


l. 
JA if T=(A, fir fou) 
dm 13 otherwise (ie. ifT = 1) 
2. 
MU, p') TSU 
A(T, up!) = 
(ep) f 0 otherwise 
e We write 
L Tleif TH, 


2. T | ap’ if T | e and TU implies U | p’. 
e We write T « , | U if for every p' € «ct* 


fATE 


Tips L.U] 
2. AU, p'\CCA(T, p^). 


Both the propositions below can be proven like analogous results in [35]. 


Proposition 7.12. For T,U € fAT^, if T«,,U then T | % and U 5 U' imply that 


there exists T! such that T T! and T' « |. U'. 
fATE 


Proposition 7.13. For T,U € AT’, T <n U if and only if T<,,,, U. 

The following results will be used for proving full abstraction for compact processes. 
To prove them we will use soundness of the reduced proof system #FY with respect to 
both <,, and Spi (soundness of RP w.r.t. < art Can be proven by paralleling the 


ATL 


proof of soundness of RP w.r.t. ), the notion of hnf and the following property 


about /mfs. 


~M 
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Proposition 7.14. For any process P such that P | € and for every action à € s£ct : 
WP)=> SP iff 2P] AP’) 


Proof. It directly follows by construction of /mfs and by definitions of Z[.] and of 
the partial function > on fAT’. 


Proposition 7.15. For every compact process R and every p € «ct*, R| p iff BR] p. 


Proof. The proof proceeds by induction on |p|, and the length of p. 

If |p| =0, i.e. p=e, and R |e then R has a Anf, h(R), and since the proof system 
AP is sound with respect to «&,,, we have Z[R]— V[Ah(R)]. Therefore, since hnfs 
are interpreted as non-trivial trees we have Z[R] Z L. Conversely, since R is compact, 
Z[R]Z implies R | e. 

Let us assume now that p=a-p’. If R | e then R has a Anf, A(R) such that R=,, A(R). 
Let R, be such that A(R) => = R,. By Proposition 7.14, we have Z[A(R)]  Z[R,]. The 
hypothesis R | p implies R, | p’, hence, by induction, we may assume that Z[R;] | p'. 
Therefore, Z[h(R)] | o-p'. Since Z[R] — Z[h(R)] we conclude that Z[R]| wp’. Con- 
versely, suppose that Z[R] | o-p', that is (by definition) Z[R] T implies T | p'. From 
the case |p| =0, we already know that the result is true for p —& then R|[ € which 
implies that there exists a Anf, h(R) such that R —,, A(R). By Proposition 7.14, we 
deduce that A(R) = = R, and T = g[R,]. Since T | p', by induction, we can assume 
that R, | p’. Since this holds for all R, such that RR, then, by definition, R | ap’. 


Proposition 7.16. For R compact process and p € «£ct*, R | p implies sat(.JS(R, p)) = 
al CR], p). 


Proof. The proof proceeds by induction on p. Let us assume that R | p. This implies 
that R has a Anf, h(R) and R=,, A(R) and 2[(R]— Z[A(R)]. 

Let p=e. Since R—,, A(R) then R&„ A(R) and h(R)<,,R. This means that 
sat(.J(R, &))=sat(VS(A(R), €)). By definition of hnfs, we have sat(»Z(h(R),e)) — 
A(h(R),&). By the construction of /nfs, we have .(h(R),z) — S (Z[h(R)], e). Since 
Z[A(R)| = ZR] we conclude that sat(-4 (R, &)) = SA(A[RI, e). 

Let p — o:p'. By induction, if either of /(R,a-p’) or (PRJ, o-p') is non-empty, 
then both are non-empty. Let us assume that they both are non-empty. By defini- 
tion, sat(sZ(R, o p')) — sat(U) CZ (Rs, p) | RŠ R41). If R' is such that A(R) 9 — R’ 
then. sat(U) {.A(R,, p/) | RS R,]) =sat(.A(R’, p'). By induction we can assume that 
sat(. A(R’, p')) 2. (Z[R'|,p'). Therefore, by Proposition 7.14, VA(QIR'], p') — 
S(Z[h(R),op') Finally, since 4Z[h(R)]—2|R] we have sat(-Z(R,o:p')) — 
S (ZR], xp’). 


Proposition 7.17. For compact processes R and R', RC, R' iff DR] < ,., DR’). 


pate 
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Proof. Since RE, R' iff RG R’ iff R<,, R' (by completeness of 6P), and T € |, U 


^M XN ark 
iff T Xn U, for all compact acceptance trees T and U, then, by Proposition 7.10(1), 
it suffices to show that R «y, R’ iff Z[R] < „u ZIR]. This directly follows from Propo- 
sitions 7.15 and 7.16. 


We now consider finite processes. 


Theorem 7.18. For finite processes P and Q, P C,,Q iff DP] <,,, 219]. 


Proof. (=) Suppose that PE,,Q. By Proposition 7.10(3), we have that for each 
RE Fba(P) there exists R’ € Fba(Q) such that RC,, R’. By Proposition 7. 2 this im- 
plies that Z[R] < ,,,, ZIR]. Therefore, by ae 7.10(2), we have Z[P] = | | {FR} 
|R E€ Fba(P)} < ,, | |J Z[R']| R' € Fba(Q)} = 210 

(<=) Suppose that YP] <,,, Z[Q]. By ndm 7.10(2), this implies that VR € 
Fba(P): Z[R] < ,,, AQ]. For each R € Fba(P), since (Z[R']| R' € Fba(Q)} is directed 
in AT! (Proposition 7.10(2)) and Z[R] is compact in AT” (Proposition 7.10(1)), there 
exists R’ € Fba(Q) such that Z[R] < ,, Z[R']. By Proposition 7.17, we have RC, R’. 


— 8? 
By definition, R’ € Fba(Q) implies RE Q and thus R E, , Q. By Proposition 7.10(4), 
we conclude that PE,, Q. 


SRP SRP 


Full abstraction for general processes is proven by using finite-breadth approximants. 


Definition 7.19. For each non-finite process P, Fba(P) —- (R|3nz 0: Re Fba(P")). 


Theorem 7.20. For all processes P and Q, PE, Q iff DP) < ,., AQ} 


Proof. For every term E and every č € Envy, we have 
1. DEE < „ BE" 5, for every nz 0, 

EJ: =L] (21E"K | nz: 0). 
This is a standard result in the algebraic semantics theory and could be proven by 
structural induction, paralleling the corresponding proofs (e.g. that of Theorem 42.11) 
in [28]. From the previous result, Proposition 7.10 and Theorem 7.18, it directly follows 
that 


(9qR]| R € Fba(P)) is directed in AT’ and Z[P] - | | [Z]R]| Re Fba(P)). (2) 


Moreover, for all processes P and Q, PL, Q iff Vnz0, dm z0: P” C, Q" (this is a 
standard result for type systems similar to us). Hence, from Proposition 7.10 it follows 
that 


PC,,Q iff VREFba(P), IR! €Fba(Q):RC,, R'. (3) 


CP 


Since (Z[R]| R € Fba(P)) is a set of compact elements in A77, from (2) it follows 
that 
PJP] < 


Sarl 


QO\ if YR € Fba(P), AR! € Fba(Q): PJR] < 


QR’. 


“ark 
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Since it has been already proven that RC,, R’ iff Z[R] <,, ZIR], for compact pro- 


cesses R and R’, from (3) we conclude that P C, Q iff DP] <1 AQ). O 


8. IPAL: imperative PAL 


In this section, we will show that the framework we have defined for PAL can easily 
accommodate the addition of an imperative construct (in the form of action prefixing) 
to the language. In particular, we show that the theory developed for PAL can be 
reused to establish that also the proof system for IPAL is sound and complete (and 
the denotational model is fully abstract). 

We assume that each individual process has its own private store (for binding vari- 
ables to values), which can be accessed by other processes only by explicit com- 
munications. However, for assigning values to free occurrences of variables, we take 
advantage of the syntactic restriction of Definition 3.1 about (value and process) vari- 
ables binders and, differently from [30,23], we do not explicitly model the store but 
use explicit substitutions. This choice allows us to smoothly extend the framework for 
PAL to its imperative variant IPAL. For example, the states of the LTS that charac- 
terizes the operational semantics of the language are purely syntactical objects like in 
PAL and we avoid considering configurations (i.e. pairs of processes and stores) and 
operators over them. 

The syntax of IPAL is obtained by adding a new prefixing operator for assignment 
to that of PAL (Definition 3.1). Thus, the productions for IPAL action prefixes are 


a::=out(f) | in(¢) | read(7) | eval(E) |x: =e 


Obviously, the unary operator x:— e.. binds the variable x within its argument term 
and is a new binder for value-variables. 

The operational semantics of IPAL is characterized via a LTS which is obtained by 
adding to the LTS for PAL the following rule: 


IR14 x:=e.E »— E[é[e]/x] 


which accounts for the behaviour of assignment prefixes. Rule IR14 models an internal 
move that updates the store. It affects only the argument of the prefixing but has no 
effect on parallel processes which have free occurrences of variables with the same 
name of the variable on the left of :=. This change is not directly observable, only 
explicit communications of the environment via an out operation make it evident. 
Observers cannot access the private store of tested processes, but can only gather 
information by communication. The behavioural preorders = and <,, are defined 


^ 


as for PAL and their coincidence (Theorem 5.13) can be proven again. 
A proof system for IPAL is obtained by simply adding a specific law for assignment 


AS x:—e.X = X[e/x] 
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to the proof system for PAL. Since stores can only be investigated by communication 
or by conditional choice, we do not introduce any additional inference rule for ensuring 
substitutivity of value expressions (rules VII and VIII in Table 10 are sufficient). 

All of the results related to the equational semantics of PAL can be proven for 
IPAL as well. In particular, in the normalization procedures, law AS 1s employed for 
removing (leading) assignments. By paralleling the proofs given for PAL, it is easy 
to check that the proof system for IPAL is sound and complete with respect to the 
testing preorders (Theorem 6.23). 

For defining the denotational semantics of IPAL, like for the eval and the conditional 
operators, we do not use a specific operator on /AT^ for assignment prefixes. Indeed, 
we only add the following clause to the definition of the interpretation function JJ - ] 
given in Section 7: 


10. Z[x:— e.E]é = 2[E[6Te]/x]]&. 


The finite-breath approximants of a finite IPAL process of the form x :— e.E are given 
by 


7. Fba(x:— e.E) = {Q|Q € Fha(E[é[e] /x])]. 


Again, all of the results concerning the denotational semantics of PAL hold for IPAL. 
Hence, the denotational model is still fully abstract with respect to both the behavioural 
preorders and the proof-theoretic one (Theorem 7.20). 


9. Conclusions and related work 


In this paper we have studied the impact of a theory of testing of [19] on two 
process description languages that permit writing programs that manipulate values and 
exchange them asynchronously with other programs. The two languages are obtained 
by substituting the uninterpreted actions of a CSP-like process algebra with the Linda 
primitives for process interaction (PAL) and by adding to PAL an assignment command 
(IPAL). Sound and complete proof systems for testing have been defined together with 
a fully abstract denotational model that is based on natural interpretations. This work 
has been instrumental for the development of KLaim, a programming language based 
on PAL for implementing interactive and mobile agents [18]. 

Asynchronous variants of process algebras have been already considered in the liter- 
ature for ACP [7], CSP [32], z-calculus [38] and CCS [37]. These works have followed 
two main lines that differ for the way non-blocking output actions are modelled: They 
are rendered either as state transformers or as processes. 

The variants of ACP [8,9], CCS [17] and CSP [36] model output actions as state 
transformers: They associate buffers (modelled as state operators in ACP and CCS, 
and as processes in CSP) to channels. These variants naturally describe systems with 
outputs modelled as unblocked sending primitives that make messages available for 
consumption. 
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In [8,9], asynchronous sending operations are visible. A consequence of this 1s that 
processes which only differ for the sending order of messages are considered as dif- 
ferent. An *ad hoc" notion of failure equivalence had to be introduced to correctly 
describe process behaviours with respect to deadlock. Here, we can use the usual test- 
ing scenario of synchronous process algebras and exploit the different observation (i.e. 
communication) mechanism to obtain a different semantics. 

In [17], sending operations are not visible and an auxiliary operator is used to store 
the messages that are sent by processes. Thus, messages are somehow linked to the 
sender process and cannot be read by it. This approach is not suitable to model the 
Linda communication paradigm. 

In [36], it is shown that CSP processes with asynchronous communications can 
be obtained by attaching a buffer to each of the input and output channels of CSP 
processes. This scenario introduces a (centralized) manager process for each commu- 
nication channel and asynchrony strongly relies on the fact that sending messages to 
channel managers is always possible. Our point of view 1s that asynchronous commu- 
nications are more realistic assumptions for distributed systems; thus we model them 
as (first-class) language primitives. 

The variants of z-calculus [33,34,11,26,2] and that of CCS described in [42] model 
output actions as processes, and use bisimulation-based equivalences to obtain observa- 
tional semantics. We have followed a similar approach; output actions are modelled by 
means of internal moves that can always take place (i.e. are non-blocking) and cannot 
change the structure of terms. This choice, in particular, implies that 


out(7; ).(out(z ).nil[]out(/; ).nil) Æ (out(t, ).out(t;).nil)[](out(4; ).out(ż ).nil), 
which is apparently in contrast with [10], where the law 
à .( b.nil + é.nil) = à. b.nil + à.c.nil (4) 


(à, b and č denote outputs on channels a, b and c) is considered an essential law 
for models of asynchronous communications. Actually, the difference is due only to 
the distinct choice operators of the languages. Indeed, the + operator used in [10] 
can be used to describe both internal and external non-determinism. For example, with 
the term a.b.nil + c.nil (b and c denote inputs on channels b and c) the sending 
of a would permit rejecting of c. In our setting, the corresponding term would be 
(a.b.nil[]c.nil) & à.5.nil. Output actions are dealt with just like the silent action of 
CCS 1n the translation from CCS to TCCS of [20]. Therefore, in our setting the sound 
version of (4) above is 


out(; ). ((out(7»).nil[]out(15 ) .nil) $ out(t;).nil $ out(/; ).nil) 
= (out(t, ).out(t, ).nil[Jout(t, ). out(/5 ).nil) 
® (out(t, ). out(r;) .nil) $ (out(t; ). out(5 ).nil) . 
Only a few well-established theories for process calculi which explicitly manipulate 


values have been developed. The only addition to [8,9], that we have already men- 
tioned, are [29,30,35]. There a testing framework is developed for a variant of TCCS 
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[20,28] with value-passing. By and large, we have used methods similar to those of 
[29,30,35]; however, tuples-based asynchronous communication calls for a different for- 
mal setup. Apart for the presence of non-finitely branching transition systems, we had 
to face additional complications introduced by the inability of observers to perceive 
the differences among patterns which access a given tuple. To take this problem into 
account, we introduced the notion of (closed set of) events. The major impact of the 
communication mechanism on the denotational model is that the sequel of an input 
action is a partial function defined only for the tuples that match the pattern used. 

Another approach to the formal analysis of the semantics of Linda-based communi- 
cation paradigms has been followed in [15]. There, one can find another example of 
tuning the process algebraic techniques for dealing with the Linda paradigm. The basic 
idea is that of considering tuples as atomic items with a unique identification name. 
This choice, on the one hand, simplifies the required mathematics, but on the other, 
prevents taking into account all of the subtleties of the Linda communication model. 
A similar behaviour can also be modelled within our framework by introducing the 
simplifying assumption that tuples are atomic items. 

Our extension to IPAL of the semantic set-up for PAL is simpler than that of [30,35] 
for CCS with value-passing and assignment. There, stores (for bindings variables to 
values) are explicitly modelled, and the operational semantics has to consider config- 
urations (i.e. pairs of processes and stores) and operators over them. Moreover, the 
new proof system is obtained by extending the (applicative) laws for PAL with a 
family of laws (one for each process operator) for rewriting assignment in the nor- 
malization procedure and an inference rule for ensuring substitutivity of expressions 
in assignments. Here, by taking advantage of the syntactic restriction of Definition 3.1 
about (value and process) variables binders, we show that a single additional law is 
sufficient for the complete equational characterization of IPAL. Had we removed the 
syntactic restriction, we would have to use parameterized process variables in order to 
avold providing PAL with a counterintuitive and unsatisfactory semantics that models 
recursive terms differently from their unfoldings. 

The use of action prefixing instead of full sequential composition has also been 
essential for “reusing” the semantical machinery introduced in [22,43] for PAL. Had we 
chosen to use sequential composition, terms would inherit stores and the equivalences 
would not be congruences. 

The development of a similar framework to deal with full sequential program com- 
position rather than with action prefixing is under progress. In [21] we have already 
studied an imperative language, L, obtained by embedding the Linda primitives for 
interprocess communication in a simple imperative language with sequential composi- 
tion. We succeeded in defining a testing scenario for L, by enabling observers to test 
the (final) store of (finite computations of) programs; but we were not able to ob- 
tain an equational characterizations of the testing preorders over this richer language. 
Obviously, this makes it difficult to use that framework for verifying programs. 

Additional work is needed also to deal properly with the (left and communication) 
merge operators and the (general) external choice operator. Their use, on the one hand, 
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has rendered the definition of the alternative behavioural characterization and of the 
proof system easier; but, on the other, it has significantly increased the discriminating 
power of observers. Indeed, the merge operators permit expressing causal dependencies 
on output actions. Thus, our observation mechanism allows observers to determine 
whether a system has actually consumed a message. Moreover, outputs at choice points 
require synchronizations at the implementation level. All this may conflict with the idea 
that asynchronous outputs are intended to take place immediately without requiring 
availability of a corresponding input; in these circumstances it might be argued that 
observers cannot be guaranteed that a message has been consumed. As a consequence 
we have that our observational theory is, to a certain extent, too discriminating; indeed, 
some equational laws for asynchronous bisimulation of [2] are not valid for our testing 
equivalence. We see two possibilities for weakening our behavioural relations in this 
respect: omitting the merge operators and using a less general (input guarded) external 
choice operator or modifying the observation mechanism. 
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